Google's cookie runaround in IE? Not a big deal

Condemnation of Google for bypassing user privacy settings in Safari is justified, but Microsoft's IE bluster is just hot air

1 2 Page 2
Page 2 of 2

Acceptance of the P3P spec has been, ahem, slow at best. Of all the major browsers, only Internet Explorer (versions 6, 7, 8, 9, and 10) recognizes P3P policies. Firefox used to enforce P3P policies, but now it's an obscure option.

When Internet Explorer encounters an invalid compact policy, it simply accepts all cookies. Microsoft says that's in conformance with the W3C spec. Here's what the spec says, in Section 6.4: "P3P user agents MUST NOT rely on P3P compact policies that do not comply with the P3P 1.0 or P3P 1.1 specifications or are obviously erroneous. Such compact policies SHOULD be deemed invalid and the corresponding cookies should be treated as if they had no compact policies." You may read that as saying, "if the CP is invalid, accepts all cookies." I don't.

In Internet Explorer 9 or 10, the slider that controls IE's behavior with CPs (found in Tools, Options, Privacy) starts at "Medium: Blocks third-party cookies that do not have a compact privacy policy." There's no admonition about invalid CPs -- and certainly no indication that invalid CPs are accepted. Many people consider this a bug in IE.

Want to check it yourself? Fire up IE 9 or 10. If you've changed your IE Privacy setting, put it back at Medium, the default. Go to Click the gear-shaped icon on the right, then choose Safety, Webpage Privacy Policy. See how the Privacy Report says that cookies on have been accepted? Now click once on, and click Summary. IE will gladly tell you that it just accepted cookies even though it "Could not find a privacy policy for To view this site's privacy policy, contact the website directly."

That's a bug, and it's existed since Internet Explorer 6. Should Google be penalized for taking advantage of IE's bug? What about Facebook and Amazon and 11,000 others?

Now for the kicker: Microsoft once published specific instructions on how to make an "unsatisfactory" CP code for IE6. MSDN had instructions for creating CP codes that would fail the IE6 validity check. Microsoft has since taken down the page, but you can find a reference to it in the old Knowledge Base article 323752. (Microsoft yanked that KB article, too, but a copy still exists on the Wayback Machine.) To quote the Knowledge Base article, "Visit the following MSDN Web site for a complete list of satisfactory and unsatisfactory policy codes."

Who knows? Maybe Google and Facebook and Amazon just followed Microsoft's old instructions to circumvent third-party cookie blocking.

If you want to take Google to the woodshed, do it for intentionally subverting Safari. But for ignoring P3P? Bah.

This story, "Google's cookie runaround in IE? Not a big deal," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2012 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
How to choose a low-code development platform