IE11 Stopped Accepting Cross-Domain Cookie Policies

Question

I just noticed an odd cookie policy problem that only affects IE. I could only test on IE11. Perhaps you know a workaround?

Step 1. This requires 2 domains. We'll call them cart.com and tracking.com.

Step 2. Using IE11, browse over to https://tracking.com/index.php and it should contain this:

<?php

setcookie('track_test', 'mytest', time()+60*60*24*365, '/', '.tracking.com');
?>
<p>COOKIE SET</p>
<p><a href="https://cart.com/purchase.php">Buy Now</a></p>

Step 3. Click the Buy Now in https://tracking.com/index.php and it should take you to https://cart.com/purchase.php, which should contain this:

// ABOVE THIS LOOKS LIKE AN ORDINARY HTML5 PAGE THAT LOADS jQuery.
<script type="text/javascript">
$(document).ready(function(){

  $('BODY').append('<img alt="" width="1" height="1" src="https://tracking.com/pixel.php" />');

});
</script>

Step 4. So, viewing purchase.php should fire https://tracking.com/pixel.php, which looks like so:

<?php
file_put_contents('output.txt',var_export($_COOKIE,TRUE),FILE_APPEND);
// RETURN FAKE IMAGE RESULT
header('Content-type: image/gif');
header('p3p:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');
die(base64_decode('R0lGODlhAQABAJAAAP8AAAAAACH5BAUQAAAALAAAAAABAAEAAAICBAEAOw=='));

Step 5. Now, view your output.txt on the tracking.com server. You'll find it empty. That's the problem -- it can't read the cookies. There's a cookie policy restriction, even though I have sent the proper "ignore all that, my friend" cookie header.

Now, repeat the process with Chrome and Firefox -- no issues.

Okay, so, if you go back and switch the pixel from Javascript to purely HTML to call that pixel, it won't work that way either. But if you call the pixel manually in the URL of your browser, it works just fine from IE. Our tracking used to work, so I believe this problem just occurred with IE11.

But here's my conundrum -- I'm working with a third-party, and they are passing some extra things to my pixel script like order total and order transaction ID via query parameters on the end of the pixel script URL, and those are only available to my script via Javascript. That's why I can't use the HTML technique to load that pixel script -- but must inject it at runtime using jQuery (or Javascript) in order to get that order total and order transaction ID.

Answer 1

The answer is simple -- this no longer works in IE, starting with IE11. One will have to pass parameters a different way through their shopping cart in order for the receipt/thankyou page to post those parameters back properly without having cookies to be read on the receiving pixel script.

Microsoft posted information about this on their website:

https://msdn.microsoft.com/en-us/library/mt146424(v=vs.85).aspx

"Recommended practice is to avoid deploying P3P privacy policies on your site."

So, if you use a fake GIF in a script with a P3P header to access a cookie set previously on the tracking domain -- it's now broken in IE11 and Microsoft doesn't care to post why or to offer another solution. There are many web advertising tracking platforms out there that rely on this, and Microsoft just broke them.