Consider it a shot across the bow, for websites playing fast and loose with P3P by leveraging a quirk of Internet Explorer. Those nonsensical compact P3P policies designed to appease IE privacy settings and keep cookies working may have their days numbered. IE10, already included in Windows 8 and soon to debut downlevel on Windows 7, introduces an advanced option for strict P3P validation, buried under Internet Options / Advanced settings:
There is very little documentation about the feature currently. Closest to an official statement is an article in German from the IE support team. Excerpts from a passable English version:
“From a technical perspective, some providers use a niche in the P3P specification, which means that the user settings for cookies can be avoided. The P3P specification states (as an attempt to leave room for future improvements to privacy policies), that is not defined policy of browsers should be ignored.
This setting prevents the exploitation of the aforementioned weakness in P3P standard.”
Curiously the setting is not enabled by default, despite being placed under the security section– subtly implying that checking this box would be good for users. (That classification is itself unusual, since there is already a full tab dedicated to privacy settings.) One can only speculate. MSFT has proven that it will not shy away from a controversy over privacy: IE10 decided to launch with Do-Not-Track feature enabled by default, overruling widespread opposition. But in this case strict P3P enforcement will have limited impact with an opt-in configuration. It is almost axiomatic that most users will not tinker with settings under the hood, which have no obvious impact on the outward appearance of the system– eg colors and layout. Few will venture anywhere near a setting labeled “Advanced.” Enterprises do often override defaults for managed environments, but this feature is far more meaningful to home users.
MSFT has called out this P3P issue in the past via IE Blog, and offered users an updated Tracking Protection List in response– again a purely symbolic gesture, as the fraction of users reading that post, much less applying the TPL, will be negligible. The new feature could be construed as an initial foray, testing the waters before migrating to opt-out model in a future release. (But that could make for a messy deployment: IE10 has auto-updates enabled by default, but it is rare for an incremental update to modify user settings. That would suggest only new installs get the strict enforcement policy.)
6 thoughts on “Strict P3P validation in Internet Explorer 10”
Adding a checkbox to the Advanced tab requires only small registry changes. Trying to add a checkbox to the Privacy tab’s legacy Win32 layout code (across all locales) is a very expensive change.
That makes sense as an expediency measure, but it also makes the feature more difficult to discover. There is a case to be made that it belongs in the privacy tab, since it is an incremental tweak to P3P, tightening the policy evaluation logic.
Also that would imply it is not part of the settings that can be imported via XML? It is possible to define custom privacy settings (such as “downgrade all cookies”) and publish these as XML file for users to import.
There’s not a huge discoverability delta here, since the privacy tab is probably even less-used than the Advanced tab. As you noted, the big challenge is the default state of this option, and alas, I must refrain from discussing that.
You are correct in guessing that this option cannot be imported via the XML templates, which (while awesome) is perhaps the least-used feature in the product that still mostly works. I provided a pair of templates on my blog back in 2010 http://blogs.msdn.com/b/ieinternals/archive/2010/06/05/understanding-internet-explorer-cookie-controls.aspx.
MS seem to have added it silently in RTM only. Still, we don’t get back the cookie/privacy status bar notification which IE9 removed without any explanation.
You should distinguish between “without any explanation” and “without a good justification.” The explanation is here: http://blogs.msdn.com/b/cjacks/archive/2011/08/01/what-happened-to-the-zone-information-on-the-status-bar-in-ie9.aspx
I wrote a bit about IE10’s option here: http://blogs.msdn.com/b/ieinternals/archive/2013/10/16/strict-p3p-validation-option-rejects-invalid-p3p-policies.aspx