Hacker News new | past | comments | ask | show | jobs | submit login

This seems to be a problem with the design of P3P more than anything.

Browsers: "3rd-party cookies are blocked unless you add a P3P header..."

Websites: "Ok. What should be in the header?"

Browsers: "Anything... it doesn't matter. Just add the header then 3rd-party cookies are fine"

Websites: "Ok, we'll just add a P3P header saying 'Ceci n'est pas une P3P header' then. Problem solved."




If you read more closely, it's not enough to _have_ a header; the header must also indicate that cookies are not used for tracking.

The problem is, that indication is made with _lack_ of a particular token; and google includes a fake P3P header with no tokens in it. Thus, according to the protocol, google's header indicates that it does not use cookies for anything at all.


It's just plain wrong. The cookies can be used for tracking. You just need to tell what kind of tracking and what you do with that information. http://news.ycombinator.com/item?id=3615381


This is not a reply to your comment! See http://pastebin.com/raw.php?i=qV5bkCjG for more info.


clever :)

Btw, I'm not defending Google, they're clearly not acting perfectly here. I'm simply pointing out that this is a clear case of, "what did you expect to happen?" Any spec that still sets a cookie that is declared as not being used for any purpose seems deeply flawed.

I also found it interesting that Microsoft called out Google and not Facebook, which gives the article a political overtone.


Hindsight is always 20/20 and norms change quickly on the internet; we could say equally critical things about Telnet and FTP.

I agree that P3P clearly needs some rethinking to stay relevant. Especially now that the cat's out of the bag on how to bypass it. (Microsoft's immediate response is to set up yet another blacklist system... some cultures just never change.)

For everyone's entertainment, the OP's comments linked to an amusing satire of P3P called P5P, or the "Pretty Please Platform for Participating Publishers." This is possibly the best collection of protocol tokens I have seen since RFC 2324.

http://pastebin.com/ijjRKvUB


It is interesting that your response to google seemingly doing something that is, at the least disingeneous, is to criticize microsoft. Also re: culture - were to you think google got all those engineers from? A significant number are ex-MSFT. There is a reason GOOG built a campus in bellevue.


I think he is criticizing Microsoft for pointing their fingers to their arch-enemy while failing to mention their partner.


A blacklist seems like a pretty effective strategy and allows them to deal with offenders simply. I'd imagine you're not advocating for them to add proprietary extensions to P3P. What would you suggest they do otherwise, out of curiosity?


The problem is, blacklists need to be maintained, create a single point of failure (in terms of both access and trust), and rapidly grow out of control. See virus scanners, spam filtering, CRL checking for SSL, MSIE Phishing Filter, etc. all of which work either sporadically or at the unrelenting expense and pain of some central party.

I think MS probably needs to acknowledge that P3P is broken, and change the default so it doesn't affect third party cookie acceptance. Administrators for Windows environments that think otherwise can override the default by deploying a group policy.


I would expect shady sites from the dark parts of the internet to actively lie but Google?

What do you think about robots.txt then? Isn't that a standard that isn't enforced as well?


I would expect every site to be extremely liberal with what they request, since, in this case, there is little to no indication to the user as to what's being sent to whom. Developers are going to add the header to get the data because that's what's necessary to get their stuff working.

Ultimately, P3P comes down to the honor system. Unfortunately, that doesn't work on the internet.


I fail to see why Google is being compared to every other site on the internet.

You would not be surprised if a warez program installed a keylogger on your computer, but you hold Google Chrome to a higher standard. Isn't that true for the internet too? Why equate Google to any other site on the internet?

>Ultimately, P3P comes down to the honor system. Unfortunately, that doesn't work on the internet.

Would you say the same thing if you came to know that Google employees are reading your email for fun and profit?


> This seems to be a problem with the design of P3P more than anything.

Granted, the standard is written to be abused. On the other hand, Google's behavior is basically "well if you don't say no it's not rape. What, you were bound and gagged at the time? Well nothing I can do about that".


Please don't use a violent real world crime as an analogy to things like setting cookies.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: