Apps

Craft a P3P policy to make IE behave

Justin James describes how web application developers can solve a quirk of Internet Explorer involving the Platform for Privacy Preferences Project standard.

I recently had a very frustrating experience with a Web application I was working on. A page in the application was designed to be embedded into our customers' websites within an iframe, but in Internet Explorer it wasn't working right; specifically, things that were happening within popup windows it was creating (via jQuery) were acting completely disconnected from the underlying page. After some digging, it was clear the system was starting a new session for the pages called in the popups. It turns out this is a well-documented but not well-known quirk of Internet Explorer.

IE implements the widely forgotten and ignored Platform for Privacy Preferences (P3P) Project standard, and uses it to determine how it will handle certain pieces of information, including cookies. Specifically, it looks at the compact policy and compares it to your privacy settings, and it allows or denies certain types of activities. At the default settings, sites without a P3P policy will reject cookies when run in an iframe or otherwise considered a third-party cookie. JavaScript called from a third-party site would have the same restrictions, for example. The good news is this is a benefit for users. The bad news is few developers ever test these scenarios, let alone across a multitude of browsers, so the issues aren't apparent until well after the code is written. In our case, we had this bug in the wild for months before it was reported.

To get IE to behave, you need to do two things: create a privacy policy and then refer to it in the HTTP headers as a compact policy. You will be tempted to go to your search engine of choice and find one that works (like this one), but don't do that. Google does this. Google also has had the pants sued off of them for it. While it is unlikely you'll be sued for doing so unless you have a high visibility, the P3P policy you present is a legal commitment to your users. So instead of shoving whatever you think will get you past your IE problems into a header and washing your hands, craft a good policy.

I have done this in the past with a free tool from IBM Alphaworks. IBM has taken the tool offline, though a quick search will dig up other copies of it. I am not a huge fan of those, since I can't find one from what I consider a reputable source, and I don't like malware on my computer. Also, while it is free and it works, it is a royal hassle to use. I chose to use P3P Wiz, which costs $29.95 for the first year and $19.95 in subsequent years. You only pay one time to make a policy; the subscription allows you to edit your existing policies. I like that P3P Wiz is wizard driven and contains plenty of boilerplate text to keep you from doing much typing. The time I saved more than justified spending $29.95 on P3P Wiz.

When creating your policy, you need to be 100% truthful. IE's documentation makes it very clear you need a policy that states "opt-in" or "opt-out" on a number of policy components in order to have your site work properly as a third-party site. Again, the various "cookbook" versions of an acceptable privacy policy will work, but you can write a much more accurate and detailed P3P policy for a site that uses a lot of personal information and it will still work. For my project, this compact policy worked fine, despite the extra items in it compared to the "cookbook" policy others use:

"CURa ADMa DEVa TAIi PSAi PSDi IVAi IVDi CONi HISa TELi OUR IND DSP CAO COR".

Once you write your policy, P3P Wiz will give you a number of files:

  • An HTML file with a human-readable policy. IE uses this when you look at the details for a site to read the specifics.
  • A policies.xml file with the lengthy, full-format of the policies.
  • A headers.txt file that tells you how to implement the compact policy in various browsers.
  • A p3p.xml file that points IE to the policies and the privacy files.

By default, you should upload these files to a w3c directory on your server and then add an HTTML header (like: P3P: policyref="http://www.example.com/w3c/ p3p.xml", CP="CURa ADMa DEVa CONo HISa OUR IND DSP ALL COR") or a link tag (such as: <link rel="P3Pv1" href=" /w3c/ p3p.xml">) to your code to point to the full-format policy.

From what I can tell, IE does not compare the compact policy to the full-format policy, and the full-format policy is not needed. Although if you're going to spend the time and effort to put together an enforceable, accurate P3P policy, it's not more difficult to make a full-format policy since you'll be using a tool like IBM's or P3P Wiz anyway.

To give you an idea of the different ways to add the header, here are the code samples from my headers.txt file from P3P Wiz, made to be more generic:

PHP CODE

header("P3P: policyref=\"http://www.example.com/w3c/p3p.xml\", CP=\"CURa ADMa DEVa CONo HISa OUR IND DSP ALL COR\"");

ASP CODE

Response.AddHeader("P3P","CP=\"CURa ADMa DEVa CONo HISa OUR IND DSP ALL COR\"");

PERL CODE (Must be first print statement)

print "P3P: policyref=\"http://www.example.com/w3c/p3p.xml\", CP=\"CURa ADMa DEVa CONo HISa OUR IND DSP ALL COR\"\n\n";

JSP CODE

Response.setHeader("P3P","CP=&#39;CURa ADMa DEVa CONo HISa OUR IND DSP ALL COR&#39;")

COLDFUSION CODE

&lt;cfheader name="P3P" value="CP=&#39;CURa ADMa DEVa CONo HISa OUR IND DSP ALL COR&#39;" /&gt;

HTACCESS CODE (mod_headers required)

Header append P3P 'CP="CURa ADMa DEVa CONo HISa OUR IND DSP ALL COR", policyref="/w3c/p3p.xml"'

The code end of this project is easy. The difficult part is thinking about all of the things your application does with private data and ensuring that the P3P policy accurately describes your data use.

J.Ja

Keep your engineering skills up to date by signing up for TechRepublic's free Software Engineer newsletter, delivered each Tuesday.

About

Justin James is the Lead Architect for Conigent.

4 comments
mattohare
mattohare

So, if I'm not using cookies for my sessions, it's not an issue? Given all the headache the European Union gives over them, I've been avoiding them like patch of nettles.

bill.dickson
bill.dickson

I think this explains why a ASP.net web forms app failed to work correctly when called from within an IFRAME. (a number of functions in web forms require JavaScript support). I had two clients that wanted to run my apps from within an IFRAME in a PHP page and it didn't work. Would the policy have to be in the calling PHP page or in the ASP.net pages?

Justin James
Justin James

Mat - Yup. If you're using sessions in the URL there's no worries at all. J.Ja

Justin James
Justin James

You need to do this in the ASP.NET page, it has to certify to IE that it won't do anything nefarious with the data. J.Ja