https

Web Browser Hall of Fame & Shame
A comprehensive comparison and analysis of web browser
privacy-enforcement characteristics, features, and defects.


Internet Explorer v7: Ignores its Privacy Settings!!
Shortly after beginning work on this third‑party cookie notification system, we and our many pre-release testers discovered that version 7 of Microsoft's Internet Explorer web browser is unable to distinguish between first-party and third-party cookies. IEv7 ignores any third-party cookie settings applied through its user-interface controls, including the use of advanced XML configuration files, and treats third-party cookies exactly like first-party cookies. There is nothing we have discovered that any user can do to change this.

Initially released on October 18th of 2006, we assumed that somewhere along the way, as a result of IEv7's virtually continual security patching, fixing, and updating, Microsoft must have inadvertently broken its third-party cookie handling. But the earliest version of IE7 we could find, dated several months after its initial release (April, 2007), is just as broken as today's fully patched version.

Both IEv6 and the current beta releases of IEv8 behave correctly. It is only IEv7, the most-used web browser in the world, that is unable to selectively block third-party cookies.

Since this is a significant defect in the browser's operation, it must be that Microsoft does not know about this. It could not be that they don't care, though it's somewhat difficult to imagine that they never noticed that IEv7 has never honored a fundamental aspect of Internet privacy enforcement. Since this really needs to be fixed, it is our hope that these pages will help to raise awareness of this trouble, and that Microsoft will quickly address this issue.

Until then—unfortunately—there is no way that we have found for IEv7 users to enforce their privacy against pervasive third-party Internet tracking while using IEv7. Users who cannot wait for a fix from Microsoft could either install the pre-release beta of IEv8 (which does work) or switch to a different make & model of web browser (Firefox, Opera, or Safari) which correctly obeys its user interface controls.

Firefox v2: Third-Party Cookie Leakage
Though not as sweeping as the lack of IEv7 third-party cookie discrimination, this system also quickly revealed cookie-handling bugs in both v2 and the pre-release beta v3 of Firefox. (These bugs allowed blocked third-party cookies to "leak out" during third-party asset queries in web page headers.) The Firefox developers, who were monitoring this work, quickly rewrote the critical aspects of FFv3 to fix this problem, but so far, as of FF v2.0.0.14, they have not returned to fix the current release of Firefox version 2. It is not known whether they plan to, or will (if you would like them to, please shake their tree a bit.) And while you're at it, you might also ask them to add back the simple "[ ] Accept third-party cookies" user-interface checkbox which earlier versions of Firefox had, but which was removed from FFv2. Note that in apparent reaction to these third-party cookie pages, the Firefox developers recently returned this simple-to-use checkbox to the FFv3 user-interface, thus earning FFv3 a nice green indicator in the chart below. (Thank you FFv3 developers!)
And speaking of the chart below...

The following chart characterizes many details of cookie handling by all major Windows and Macintosh browsers. Where a browser is cross-platform (such as Firefox that runs on many platforms, or Apple's Safari that runs on Macs and PCs), the browser's common codebase causes it to offer identical behavior and options across all supported platforms.

For an explanation of each line of the chart, please see "The significance of each chart line" below:
For those items accompanied by a number, please see the corresponding note below the table:

Internet ExplorerFirefoxOperaSafari
v6v7v8v2v3v9Mac/PC
Can block third‑party cookies Yes    No 1 Yes    No 2 Yes Yes Yes
Blocks third‑parties by default No No No No No No Yes
Easy to use user‑interface    No 3    No 3    No 3    No 4 Yes Yes Yes
Built‑in cookie manager No No No Yes Yes Yes Yes
Per‑site cookie exceptions Yes Yes Yes Yes Yes Yes No
Blocks outgoing cookies Yes Yes Yes Yes Yes Yes No
Can discard new cookies Yes Yes Yes Yes Yes Yes No
Honors P3P headers Yes Yes Yes    Yes 5 Yes Yes Yes

Web Browser Behavior Notes
  • The current release of Microsoft's Internet Explorer v7 is unable to selectively block third-party cookies. It can block all cookies (which is not very useful on today's web), but it is unable to selectively allow intended first-party cookies while blocking unintended third-party cookies.
  • The current release (v2.0.0.14) of Firefox v2 contains a cookie handling bug that allows blocked third-party cookies to leak out during browser requests for assets located in page headers. It is impossible to fully block third-party cookie transactions with FFv2.
  • Internet Explorer's privacy configuration user-interface provides a slider for specifying the browser's cookie handling. Unfortunately, due to IE's usage of P3P headers, either all cookies are blocked or third-party cookies are allowed. See the Internet Explorer page for additional information.
  • The Firefox developers removed the simple "[ ] Accept third-party cookies" option from the current version 2 of Firefox. The previous Firefox v1.5 had this option, and v3 recently added it back . . . but not v2. See our Firefox page for information on manually setting this option.
  • Firefox v2 and earlier reluctantly supported this nutty P3P idea. But it was dropped from FFv3 so that today only Internet Explorer continues to support this really bad idea.
The significance of each chart line:

Internet Privacy & Tracking Pages:
Set GRC Site Options  (to enable/disable automatic notifications)

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Apr 17, 2008 at 12:46 (2,191.84 days ago)Viewed 3 times per day