Comment Re:misleading/wrong question (Score 1) 258
Actually I did, several times. Just to save time, here are some relevant sections:
If an unrecognized token appears in a compact policy, the compact policy has the same semantics as if that token was not present.
Compact policies are summarized P3P policies that provide hints to user agents to enable the user agent to make quick, synchronous decisions about applying policy. Compact policies are a performance optimization that is OPTIONAL for either user agents or servers. User agents that are unable to obtain enough information from a compact policy to make a decision according to a user's preferences SHOULD fetch the full policy.
So, from this, we find that 1) If a token cannot be parsed, it should be considered to not exist, and the cookie blocked, and 2) If the full P3P compact policy cannot be read, or does not contain enough information, the full P3P policy should be fetched and followed instead.
What actually happened is, Google sent a policy that could not be parsed by this dead, unused by pretty much anyone but IE system, and IE helpfully ignored TWO separate sections of the spec and accepted it. This is now Google's fault, I guess.
By default, IE blocks anything without a P3P policy in place. In order for many sites to do what they need to do, they also present P3P headers that are not necessarily accurate. Microsoft does it themselves. Facebook does it too. What IE fails to do is block anything it cannot parse, as it should be doing.
In any event, all this is still a moot point. I still haven't heard anyone explain to me how attaching tracking cookies for users that specifically opted in to those targeted ads is a privacy violation. I can't hand you my social security card, then claim breach of privacy because you have my name and social security number.