P3P is guilty in blocking of words addition to a dictionary
These days we received a support request from one of our new licensed clients. The problem was as follows. Person was not able to add word to a dictionary. To be more precise it seemed that a word was added to a dictionary, but then was marked as misspelled again.
The reason of the problem was not obvious at a glance. But after further investigation and analysis of requests we arrived at a conclusion that web browser’s processing of P3P blocked words from being added to a dictionary.
What is P3P?
From Wikipedia: “The Platform for Privacy Preferences Project, or P3P, is a protocol allowing websites to declare their intended use of information they collect about browsing users. Designed to give users more control of their personal information when browsing. P3P allows browsers to understand their privacy policies in a simplified and organized manner rather than searching throughout the entire website. By setting your own privacy settings on a certain level, P3P will automatically block any cookies that you might not want on your computer.”
How does P3P affect functionality of the SpellChecker.net?
As soon as user dictionary related functionality is based on cookies web browser’s P3P processing affects this functionality. For Internet Explorer web browser default P3P settings do not allow “third party cookies that do not have a compact privacy policy”. The default behavior can be changed in the browser settings, but we as developers of the application can’t change and cannot recommend to change default settings of the web browser for the thousands or even millions of end-users. SpellChecker.net application use the client side architecture with the frameset where frameset belongs to one security domain and all frames to the other one. For example, when the customer’s web application is running on domain1.com and the Spellchecker.net application is running on domain2.com the domain2.com is a “third party” domain name to domain1.com and is trying to set cookies. Default settings in Internet Explorer web browser do not allow browser to store cookies from domain2.com in this situation.
Problem solving
To avoid this problem the application (in our sample above on domain1.com) need to send additional header. The header named P3P should be prepared. Details on what should be presented in this header can be found here: http://www.p3pwriter.com/LRN_111.asp. It is not correct to set the header inside the SpellChecker.net application as soon as the company who purchased the application may have different policy and may want to change it. The settings can be added to the settings of the web site.
For the IIS web server header can be set specifically to the path /spellcheck/script/ using IIS Management Console. It can be set in the properties dialog of the /script/ directory and choose HTTP Headers tab and add the header.
For the Apache web server header can be set according to apache web server documentation (http://httpd.apache.org/docs/2.2/mod/mod_headers.html#header) using the Header directive:
Header add P3P “[P3P policy value]”
Problem indicator
In the Internet Explorer web browser, the problem with privacy settings can be observed when an eye with a red sign appears in the status bar of browser window like on the shot below:
