Marco.org

I’m : a programmer, writer, podcaster, geek, and coffee enthusiast.

P3P sucks: How to get frame cookies unblocked in IE6 and IE7

For any web developer unfortunate enough to need to read a cookie from an off-domain IFRAME in IE6 and IE7, you need to specify a P3P compact policy (CP) in the headers for both the framed page and whatever page sets the cookie you’re trying to read.

P3P is a poorly designed, poorly implemented “standard” that no browsers support except Microsoft Internet Explorer 6 and 7. (And even then, it’s only half-assed, and only the Compact Policy is ever checked.) 

There’s surprisingly little good, free information on the internet about P3P, compact policies, and IE7’s requirements - and IE7 gives absolutely no helpful debugging output such as why your cookie was blocked.

This is approximately the minimum HTTP header needed, and it basically says “We’re not collecting any of your personal data”:

P3P: CP=”NID DSP ALL COR”

If you actually store some data, such as email addresses and login cookies, this (also working) policy may be more correct:

P3P: CP=”ALL ADM DEV PSAi COM OUR OTRo STP IND ONL”

And this useful page will tell you what all of those abbreviations mean, and which ones you want to use.

I think I’ve just made the most useful post about P3P on the entire internet.