2004.07.23 11:07 PM

IE 6.0, W3C, and P3P

I often hear or read about Microsoft's shoddy standards compliance or their evil practice of "embrace and extend", and usually shrug it off, because, honestly, their approach has generally been good for me and my clients. Tonight, though, I got bit.

A client of mine needs to expose a portion of a PeopleSoft HRMS system hosted on their server to another site through an iframe in an HTML page on the other site's web server. The other site's users run IE 6.0 exclusively, and these sites don't share a domain. In order for PeopleSoft and the WebLogic server it resides on to work, they must be able to send some cookies back to the browser. However, in its default configuration, IE 6.0's privacy policy prevents accepting 3rd party (i.e., cross domain) cookies that are not accompanied by a suitable compact privacy policy. No problem, I thought, I'll just whip-up a W3C-compliant P3P policy reference file and a separate full policy file and place them in a well-known location on the web server and be back in business. No joy.

It seems that contrary to the W3C P3P spec, Microsoft wants more. They've coded IE so that it requires a compact privacy policy in the header of each HTTP response. From the Internet Explorer 6 Privacy Feature FAQ:

Q: The W3C states that a compact policy header is optional, but cookies do not seem to work without it. Is a compact policy header required?

Answer: Although compact policies are optional for P3P compliance, they are required by Internet Explorer to determine the Web site's privacy practices concerning cookies.

Well, thanks.

Of course, I can, kicking and screaming, spelunk through reams of delivered PeopleCode and make sure that every HTTP response for every menu, panel, and IScript includes a CP=... header (injected using the %Response object's SetHeader() method). But, that still doesn't help me with the semi-static PeopleSoft HTML page signin.html, which is used to enter the system in the first place. This page is packaged and delivered to the user by PeopleSoft's IClientServlet Java servlet, whose HTTP header logic I have no control over, and it's during the delivery of this page that the servlet determines whether the user has cookies enabled, and, if they don't, sends them cookiesrequired.html, which helpfully tells them that the "Server is not configured correctly".

So now we're left with 1) modifying the IE privacy policy of every user accessing the other site to allow cookies from my client's server, or 2) screwing with user HOSTS files or DNS to map my client's server into the other site's domain. The latter option has the added downside of rendering my client's SSL certificate invalid. Nuts.

By the way, it seems Mozilla and FireFox browsers don't do P3P at all.


I could be wrong on this -- It has been over a year since I did the P3P thing...but couldn't you just set the webserver to add this to its default http header? I could be thinking of something else -- but I do clearly remember doing this for IIS twice, and in Apache once for a few customers...

Perry | 2004.07.28 06:15 AM

Hi Perry - That's what I figured, but I couldn't find it. The only reference to affecting HTTP response headers I could find in the BEA WebLogic help and in on-line searches was to the HttpServletResponse object's setHeader method.

ewbi.develops | 2004.07.28 07:16 AM

Where you able to figure out a way to set the P3P header within WebLogic? We are trying to solve the same problem. Thanks.

Ken | 2004.08.23 10:22 AM


Not yet. We'd hoped to upgrade to WebLogic 8.1 which supports a filter framework (actually introduced with version 6.0, I think), which makes it easy to inject custom logic into the HTTP pipeline:

"Filters are an advanced J2EE feature primarily intended for situations where the developer cannot change the coding of an existing resource and needs to modify the behavior of that resource."


However, we're stuck at operating the app on WebLogic 5.1. So, what we'll probably do is setup an 8.1 server to act as a proxy to the 5.1 server. We can then add a filter on the 8.1 server.

Alternatively, we may adopt a simpler proxy server that allows for easy request/reponse trapping and manipulation, like this one written in Python by Suzuki Hisao:


Good luck!

ewbi.develops | 2004.08.23 11:08 AM

Your IP address reveals your point of entry to the Internet and can be used to trace your communications back to your ISP, your employer's network, your school, a public terminal.
Use our Free Web Proxy to surf the internet anonymously at http://peak40.com

Bassfisherman | 2007.08.28 06:19 AM


TrackBack URL:  https://www.typepad.com/services/trackback/6a00d8341c7bd453ef00d8342dae2253ef

Listed below are links to weblogs that reference IE 6.0, W3C, and P3P: