Frequently-Asked Questions: Cookies and Word Documents
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
Updated : June 9, 2001
On This Page
What's the issue?
Is the report true?
Does this affect only Word?
What's a cookie?
I thought the report was about Word documents, but cookies come from web sites. What's happening here?
Could the cookie track or monitor my actions?
Could the cookie read a Word document that I've been sent or am editing?
Why not include a feature in Word that lets you decide how to handle cookies?
I don't like the idea of a web site operator knowing tracking my actions. Is there something I can do?
How can I control whether IE will accept cookies or not?
Do the IE settings work for cookies when web content is embedded in a Word document?
What about the claims regarding my IP address being revealed?
What if I'm not using a firewall?
What about DSL connections and other technologies that assign a fixed IP address to each machine?
What's the issue?
A recently-published report notes that it could be possible under certain conditions for a Word document to contain a link to a web site. When opened, the link would contact the site, and it could be possible for the site to place a cookie on your machine. The report also notes that, by contacting the web site, the site could learn your machine's IP address.
Is the report true?
The scenario described in the report is possible, but the report inaccurately portrays this as a new issue. At its heart, the issue here is no different from any other web-browsing scenario. You can always decide whether or not to accept cookies from a web site, regardless of whether you arrived at the site via a web-enabled application or by browsing directly to it. Similarly, IP addresses are always revealed as part of any web session - in fact, a web session is impossible unless both parties know the other's IP address.
Does this affect only Word?
No. It isn't clear why the report focuses on Word, as any web-enabled application would allow the very same situation. There are thousands of web-enabled applications, built by many different vendors, and running on many different operating systems.
We don't presume to speak for other vendors, but in Microsoft operating systems, all contact with web sites is brokered through the browser. If you've set IE to restrict cookies, those restrictions are always in place.
What's a cookie?
A cookie is a small data file that contains information about how you use a particular web site. Cookies enable web sites to customize each customer's web experience. For instance, if you visit a web site that sells a variety of merchandise, it might record in the cookie the fact that you typically buy sporting goods when you visit. The next time you visit the site, it might read the cookie and then customize its pages to show you newly-stocked bowling shoes rather than, say, the Spring formal gown collection.
I thought the report was about Word documents, but cookies come from web sites. What's happening here?
A Word document or other Office document can contain an embedded link to content that comes from a web site. When the document is opened, Word asks IE to retrieve the content and then displays it as part of the document. When that happens, IE goes to the web site to get the web content. The web site could attempt to store a cookie on your machine as part of the process.
Could the cookie track or monitor my actions?
The cookie is just a file; it doesn't do anything by itself. However, if you visit the same web site again, the site could retrieve the cookie, and that could provide it with information about your previous visits to the site. It's important to understand though, that neither the web site nor the cookie can access anything else on your system: neither files stored on your computer nor anything about your visits to other web sites. Also, the only web site that can retrieve a cookie is the one that placed it originally.
Could the cookie read a Word document that I've been sent or am editing?
Having a cookie from a web site on your computer doesn't let the site read the Word document that included an embedded link to the site or anything else on your computer. The site can only read and modify the contents of the cookie itself.
Why not include a feature in Word that lets you decide how to handle cookies?
There are two problems that make such an approach infeasible:
Every web-enabled application would need a similar feature. As discussed above, there are literally thousands of such applications.
Even if such a feature were provided as part of every web-enabled application, users would need to configure cookie handling separately for each application.
The better way to handle cookies is exactly the way it's done today - through Internet Explorer. All contact with web sites is managed by IE. If you've restricted cookies in IE, those restrictions will be in place regardless of how you arrived at the site.
I don't like the idea of a web site operator knowing tracking my actions. Is there something I can do?
A web site cannot force you to accept a cookie. A web site can only read or change a cookie or place a new one on your machine if have configured IE to accept cookies.
How can I control whether IE will accept cookies or not?
In Internet Explorer, the handling of cookies is determined by the Security Zone that the site is in. To view or change the setting, follow these steps:
In Internet Explorer, choose the Tools menu entry, then Internet Options.
Select the Security tab, then click the zone you'd like to change, followed by the Custom button.
Scroll down to the header titled Cookies, and click the radio button that describes how you'd like to handle cookies. You can choose to accept cookies from all sites in the zone, refuse to accept any, or be prompted whenever a site wants to send you a cookie.
Do the IE settings work for cookies when web content is embedded in a Word document?
The settings work no matter how the web content is requested. However, if Word requests web content and IE is set to "Prompt" before accepting a cookie, Word will refuse to accept the cookie.
What about the claims regarding my IP address being revealed?
When you establish a connection with a web site -- regardless of how it happens -- the web site can observe the Internet address (IP address) that your machine uses. It's impossible for a web connection to occur unless both parties know the other's address. If you are part of an organization that operates behind a firewall or proxy server, the web site will see the address of that machine rather than your machine.
What if I'm not using a firewall?
Even if your IP address were revealed to the site, it would only tell the web site the address of the machine that you were using when the connection was established. It wouldn't tell the site who you are. It's important to remember that IP addresses are not permanent - corporate networks and Internet Service Providers (ISPs) frequently use Dynamic Host Configuration Protocol (DHCP) to assign an IP address to a machine each time it logs onto the network. In such cases, your machine could have a different IP address every time you log on.
What about DSL connections and other technologies that assign a fixed IP address to each machine?
For the few cases in which a machine has a fixed IP address, it's still possible to disguise it - although, again, it can't be used to identify who you are. Using a proxy server will allow you to mask your machine's IP address, and many web sites provide "anonymizer" services that hide your address.