The IE Hole Nobody Cares About
Researchers recently found an interesting <a href="http://bits.blogs.nytimes.com/2010/09/17/a-loophole-big-enough-for-a-cookie-to-fit-through/">problem</a> in the way Internet Explorer handles browser cookies. IE could essentially be confused into letting cookies through that it should have blocked. It's been that way for years, but nobody seemed to notice.
Researchers recently found an interesting problem in the way Internet Explorer handles browser cookies. IE could essentially be confused into letting cookies through that it should have blocked. It's been that way for years, but nobody seemed to notice.The bug was actually pretty simple. IE supports privacy policies that are sent via HTTP headers. These policies are supposed to follow the Platform for Privacy Preferences (P3P) Compact Policy format. If the IE user specifies that cookies should only be sent to sites that promise to follow certain rules about what should be done with the data, then IE is supposed to enforce those rules based on the P3P policy it gets from the site. What the researchers found, though, is that IE would treat a malformed P3P policy as a free pass to set cookies. Whoops!
P3P is a real standard from the W3C, so this is not some crazy idea that Microsoft came up with on its own. However, Microsoft is the only company to implement P3P in their browser; they've had it in IE for nearly a decade. The net effect of this bug is that IE effectively ignores P3P, which isn't the end of the world since that's exactly what browsers such as Firefox, Opera, Safari and Chrome have always done. Since almost nobody used IE's P3P policy feature, it's not surprising it could stay broken for so long.
There's a page on Microsoft's site that provides a good overview of how P3P is supposed to work from the perspective of a web site owner. Having created and maintained a P3P policy for a web site in the past, I can definitely say it's a confusing and frustrating process. On most web sites, a single policy isn't right for every page. The e-commerce pages will obviously need to collect more data than the product information pages. Trying to create a flexible and maintainable privacy policy with P3P is nearly impossible.
That said, I would love for the major browsers to take another run at dealing with the issues of privacy and information disclosure. P3P had its heart in the right place. The idea was that nobody ever reads the privacy policies of web sites, so we should get the computer to read and enforce them for us. We just need to make sure that the browser reads them correctly -- IE got that wrong last time around.
About the Author
You May Also Like