Minority Opinions

Not everyone can be mainstream, after all.

Privacy Prevention Protocol

leave a comment »

Symptoms

  • Your site works when used in its own page.
  • Your site works when used in an iframe from another page on your site.
  • Your site works when used in an iframe on Firefox or Chrome.
  • But your site breaks mysteriously when used in an iframe on Internet Explorer.

Solution

Add the following incantation to your HTTP headers:

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

 

Wait, what?

Near the end of the last century, companies started tracking you via cookies, collecting information either for their own marketing or for sale to the highest bidder.  Information is powerful, particularly when aggregated into large enough clusters to reveal meaningful patterns.  However, it’s also intrusive, particularly when you start getting annoyed by unsolicited advertisements through every single way you can be contacted.

Somebody, probably with the highest of intentions, tried to use technology to make it easier for internet users to decide who could do what with the information they might be collecting.  The idea was that the server could make proposals that would be either accepted or rejected by the browser.  The browser’s main mechanism for rejecting these proposals is to avoid storing a cookie.

Currently, there is exactly one browser family that does so when the server doesn’t send such a proposal, and only under mysterious circumstances.  Perhaps this behavior was designed when a large number of iframes were used for advertisements, or perhaps it has something to do with the cookie domain never appearing in the visible URL, but Internet Explorer treats cookies as suspect when used by a third-party site within an iframe.

I deal with such iframes frequently, in contexts where the cookie represents a login session.  The user doesn’t have to know that the content is from a third-party site, due to single sign-on.  But the browser knows, and the browser can freak out.

The way to calm it down is to tell it what you’re going to do with that cookie, in Privacy Preferences Platform (P3P) format.  In theory, that line above is a legally binding declaration that you will not collect certain types of information about the user, and/or will not share that information with certain types of third parties.  Maybe.  In practice, we were using it in production because it came bundled with a framework we used, and nobody noticed until a client complained that one of our other products was failing when embedded in their site.  We haven’t yet been sued for the way we use cookies or user information, and I doubt that a P3P header would really hold up in court, but it’s still a little disconcerting that we’ve (sort of) been making a promise without even realizing it.

On the other hand, we have been sued for failing to provide a reasonably usable product, and we don’t want that to happen again, so when a third product was discovered to fail mysteriously in Internet Explorer iframes, the weekend before it was supposed to be seen by customers, we added the necessary incantation without consulting a lawyer.

Eventually, that is.  If Internet Explorer had simply told us that it was blocking a cookie due to privacy settings, many hours of debugging would have been spared.

Advertisements

Written by eswald

6 Aug 2013 at 7:45 pm

Posted in Technology

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s