Following the revelation that Google and other online marketing companies have been bypassing the mechanism for blocking third-party cookies in Safari, the Internet Explorer development team asked themselves whether Google might be doing the same thing in IE. As they detail on IEBlog, they discovered that this was the case – Google circumvents Internet Explorer’s cookie policy by subverting the browser’s P3P-based privacy protection mechanism.

P3P stands for Platform for Privacy Preferences Project and is an open W3C standard. It is intended to help both users and programs determine what sites do with personal data. The cookie management system in Internet Explorer blocks third party cookies from sites that do not supply a P3P policy statement telling it how cookies are used.

According to Microsoft’s analysis, Google exploits a vulnerability in the P3P specification. The specification states that browsers should ignore undefined policies, so that’s exactly what Google delivers:

P3P: CP="This is not a P3P policy!<br />See<br />hl=en&answer=151657 for more info." 

This can be read and understood by human users, but, according to Microsoft, browsers that follow the P3P specification interpret this to mean that the cookie will not be used for tracking purposes. As a result Internet Explorer lets Google cookies pass.

Microsoft is advising users to download a tracking protection list to stop Internet Explorer from forwarding cookies to Google. The blog posting contains a link to the list, which can be installed from within Internet Explorer with a simple mouse click. Microsoft is also planning to look into ways of making Internet Explorer’s cookie handling more secure. One possibility would be to ignore the P3P specification and block all cookies with undefined P3P policies.

According to a 2010 study by Carnegie Mellon University, 11,176 of 33,139 sites examined use an invalid P3P specification. Google has now responded to Microsoft’s allegation and, in an email to US media, it describes the system used by Internet Explorer as obsolete and “widely non-operational”.

Google points out that the link within the P3P policy does point to an article which states their position on P3P. It also notes comments from a security researcher that “Instead of fixing P3P loophole in IE that FB & Amazon exploited … MS did nothing. Now they complain after Google uses it”. Facebook, at least, has the same P3P policy style as Google, complete with explanation. At the time of writing, Amazon was returning a valid P3P policy.