Cookies and Third Party Content - Part 2 of Chapter 5 from Web Privacy with P3P (3/4)
Web Privacy with P3P, Chapter 5: Overview and Options
IE6 considers images, frames, and other content served from a different domain than the page in which it is embedded to be third-party content. One typical case of third-party content is a banner advertisement embedded in an HTML page. If the banner ad is served from the advertising company's domain, it is considered third-party content. Companies use a variety of services--to monitor web site usage, process payments, distribute content, or provide customized services, for example--that require objects to be embedded in their web pages as third-party content. Some companies own more than one domain name (example.com and example.net, for example). When content from one domain is embedded in an HTML page from another, it appears to browsers that third-party content is being served (when I talk about third-party content in this book, I am referring to content that appears to browsers to be third-party content, regardless of whether it actually is third-party content).
An entire web site can sometimes appear to be third-party content, when the site gets "framed" by another site. Some search services place their own logos and links at the top of a web page and then embed another web site in an HTML frame below it. To the user, the embedded site may appear to be the first-party site, but to the browser, the search engine is the first-party site and the embedded site is third-party content. Something similar may happen when a user uses a web-based email service to read an email that contains a web page. Web-based email services often display email messages in a frame. If someone emails you a web page (for example, a news article from an online news service), that web page becomes framed content. If the web page includes image links, your browser will fetch the images from the news service. If the news service has a different domain name than your email service, those images, and any cookies associated with them, are considered to be third-party.
There are several reasons that you need to be aware of both third-party content on your site and situations in which your site may be viewed in a third-party context.
- By default, IE6 blocks third-party cookies that do not have P3P compact policies. If there are cookies associated with any of the third-party content on your site, it is important that the cookies have compact policies and that corresponding full P3P policies be placed on the third-party site. Depending on the policy associated with these cookies and each user's settings, the third-party cookies may still be blocked by some browsers. If the cookie is critical to an application, you should make sure your application can detect whether the cookie was blocked and behave in a useful way even if the cookie is blocked. You may need to work with your third-party service providers to make sure blocked third-party cookies don't "break" applications.
- When third-party content or a link to third-party content is embedded in an HTML page, web browsers fetching this content send a referer header containing the URL of the page in which the content or link is embedded. Any personal information that is encoded in the URL of the referring page is thus transferred to the third party. In some cases, this data transfer takes place by agreement between the first-party and third-party sites. In other cases, the transfer is inadvertent. In either case, such transfers may need to be mentioned in the first party's P3P policy (unless the third party is really just a different domain owned by the same company or is a service provider acting as an agent).
1. A particular URL on your site is considered P3P-enabled if it is properly associated with a valid policy and policy reference file. However, if that URL is an HTML page in which images or other content are embedded, some P3P user agents may display warnings or block cookies if the embedded content is not P3P-enabled as well.
Created: December 30, 2002
Revised: December 30, 2002