Skip to main content

TechNet Chat: Internet Explorer Privacy Features - Questions and Answers

1:00 PM PST, Wednesday, September 5, 2001

Host Guide_KenM:
Welcome to today's TechNet Chat. Our topic is Internet Explorer Privacy Features - Questions and Answers. Questions, comments, and suggestions are welcome. The Input Room is where you can enter questions for our hosts today. We will read them and select questions to answer. The questions and answers will be posted in the Reading Room. Please feel free to go ahead with questions.

Host Guest_Aarong_MS:
Welcome. Has everyone tried the new IE 6 Privacy Features?

nneth:
Q:
No, what kind of new stuff is there?

Host Guest_Aarong_MS:
A:
IE 6 radically changes how cookies are handled. In previous versions, users simply choose to accept or reject cookies...Now with an easy-to-use user interface, users can adjust their privacy preference of stringency for cookie filtration. The filtering works to filter cookies based on the privacy practices associated with the cookies instead of merely the presence of a cookie. IE 6 builds on P3P (platform for privacy preferences), a forthcoming standard from the W3C, to get the privacy information about the cookies.

Mathieu:
Q:
When you send a request to a secure server (https) is the send secure? I mean can the parameters be intercepted?

Host Guest_Aarong_MS:
A:
Https uses SSL, which employs public key cryptography to ensure the secret of the parameters, which could be used to eavesdrop on the transmissions.

Mathieu:
Q:
When developing ASP applications, is it better to keep value in Session or Cookies and why?

Host Guest_Aarong_MS:
A:
From the architecture side, I am not an ASP expert so I cannot say which is best for your application. However, I believe session uses session cookies, so you should be concerned about cookie use in either case. When building this app, you should carefully consider if your cookies will appear in the first- or third-party context and what will happen regarding the IE 6 cookie filtration.

Anon:
Q:
I have a question supplementing Mathieu's. If I call this URL by code "https://www.somesite.asp?param1=123", initially I do not have a connection. Yet if I make the call, can someone intercept the initial URL values or is the SSL connection implemented?

Host Guest_Aarong_MS:
A:
Off the bat, I have not run a test case or code reviewed, so I cannot make a definitive answer. However in the http request, as said, you are not yet over SSL, thus you're in the clear. It is possible to perform a "hello server" type of action, which preserves the parameters secrecy until the connection is made.

Host Guide_KenM:
For those new to the chat, our topic is "Internet Explorer Privacy Features - Questions and Answers." Questions, comments, and suggestions are welcome.

Mathieu:
Q:
Are cookies still written on the user's computer with IE6? I have some difficulties with that 'cause it's so simple to delete it. And if someone bases his development on it, it is not the better way.

Host Guest_Aarong_MS:
A:
Cookies are still written to the disk, but by default there is a filtering process. This filtering is based on the cookies P3P compact policy. It's still great to develop using cookies for state management, however you should deploy P3P to make this successful.

MorphiX:
Q:
What is the new cookie filtration in IE6? And can you define P3P?

Host Guest_Aarong_MS:
A:
P3P (platform for privacy preferences) is an XML-based vocabulary for encoding a site's privacy practices. P3P provides a standard vocabulary for these practices as well as a transport specification for user agents to get these statements. There is also a P3P compact policy. It is a condensed version of the full P3P policy. To summarize the default filtering then, if first- or third-party cookies have an acceptable compact policy (CP)—acceptable meaning they meet the user's preferences—then the cookie is accepted as usual. If a first-party cookie has no CP, it is accepted but leashed. Leashed means it is bound to use in the first-party context only—that is, such a cookie will not be replayed on http requests to a third-party context. If a third-party cookie has no CP, it will be blocked. Finally, if the CP is unacceptable to use preferences, the cookie in the first-party context will be deleted after the session and in the third-party context will be blocked.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/ie6privacyfeature.asp is a great place to start to learn about the privacy features in Internet Explorer and how they utilize P3P. Additionally, you can always go to http://www.w3.org for more info on the upcoming specification.

Mathieu:
Q:
IE6 is certainly designed to support new technologies such as C#, .NET, XML...?

Host Guest_Aarong_MS:
A:
IE has XML support and capabilities. Applications written with C# and the common language runtime will be exposable through IE when the client has the runtime.

Host Guide_KenM:
We are going to have to wrap up this chat in about 15 minutes. We will answer some last questions though.

Host Guest_Aarong_MS:
OK, everyone. Looks like things are going to wrap up soon. It's been my pleasure to address your questions. Is there anything else about the privacy features that you would like to discuss in the last few minutes? Thanks for joining us today! You've asked some great questions. Unfortunately, it's time to go.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.