

Why is P3P not used more? - nl
http://en.wikipedia.org/wiki/P3P

======
jusob
"A key problem that occurs with the use of P3P is that there is a lack of
enforcement." You can "promess" one thing through P3P, but do something
different with the data you gather.

The only time I used P3P was to get around some restrictions with Internet
Explorer.

~~~
getsat
Yup. Building a third party widget that operates via iframe on a customer's
site but need access to get/set cookies on your side? P3P time.

CP="NOI ADM DEV COM NAV OUR STP"

~~~
nl
You sure that policy is right? I don't understand the spec, nor how to read
the P3P policy, but looking at <http://www.w3.org/TR/P3P/> seems to indicate
these might be problematic:

NOI = Web site does not collect identified data.

OUR = Recipient of the information is your company (only)

STP = The retained information will only ever be used the the currently stated
purposes.

~~~
apinstein
This is what I use for the same purpose (and I am sure it works), though I am
not sure which item or min combo of items is required. Once I beat back the IE
demons, I called it a day.

CP="CAO DSP COR CURa ADMa DEVa TAIo PSAo PSDo IVAo IVDo OUR BUS IND UNI COM
NAV INT"

~~~
nl
That's exactly my point. Everyone just Googles and puts random stuff in there
until it works.

One day someone will get sued over it, because that policy is telling the
browser what you say you will do with that data.

Imagine if financial reporting software worked like this: "Oh, we just tried
outputting different values in the balance sheets until our stock went up".

~~~
Natsu
> Imagine if financial reporting software worked like this: "Oh, we just tried
> outputting different values in the balance sheets until our stock went up".

You're making me wonder if they don't do some kind of A/B testing already....

~~~
andrewbadera
Have you been reading the news the past 15 years? That's precisely what
derivatives are used for. Derivatives, and bought-and-paid-for auditors who
also provide "consulting services."

~~~
Natsu
I've never invested in derivatives. Can't say that I plan to, either.

------
terryjsmith
Facebook has a decent explanation for why they do not use P3P in the headers
for their Like buttons:

P3P CP="Facebook does not have a P3P policy. Learn why here:
<http://fb.me/p3p> (URL redirects to
<http://www.facebook.com/help/?topic=p3p>).

~~~
sorbus
The key bit of that explanation:

"The organization that established P3P, the World Wide Web Consortium,
suspended its work on this standard several years ago because most modern web
browsers do not fully support P3P. As a result, the P3P standard is now out of
date and does not reflect technologies that are currently in use on the web"

~~~
nl
Yeah, I'm sorry, but that's (mostly) bullshit.

IE does support P3P - perhaps not completely, but to some degree.

 _the P3P standard is now out of date and does not reflect technologies that
are currently in use on the web"_

Actually, reading it in conjunction with the new Mozilla privacy icons shows
it has held up fairly well.

I'm just troubled by the idea that Mozilla seem to be re-inventing the wheel a
bit here.

------
ericflo
You have to use P3P if you want to set third party cookies (or set cookies
from within an iframe) for IE or Safari.

~~~
nl
When you do that, do you (or your lawyers) check that the P3P policy you use
matches that on your site?

Why or why not? (This is a genuine question)

~~~
ericflo
Thankfully I've never had to deal with this before, I just so happen to know
that P3P is a necessary evil for these things.

------
narrator
I think p3p was just an attempt to f' over Google and other ad networks by
breaking adsense, etc. It seems Internet Explorer always comes out with some
new "feature" every version to try and break adsense. The only time I've ever
been able to fully and consistantly crash ie8 was embedding Adsense in a web
widget.

