Facebook and many other sites also bypass Internet Explorer privacy controls-
The case with IE is different. Google (and many other sites) are taking advantage of the P3P protocol (a privacy extension to HTTP) to set third-party cookies. Here is a summary of what Google is doing, from the article:
By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user.
Here is what a valid P3P header looks like, as set by
$ nc microsoft.com 80HEAD / HTTP/1.1Host: www.microsoft.comHTTP/1.1 301 Moved PermanentlyConnection: closeDate: Tue, 21 Feb 2012 04:29:06 GMTServer: Microsoft-IIS/6.0**P3P: CP='ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI'**X-UA-Compatible: IE=EmulateIE7X-Powered-By: ASP.NETLocation: http://www.microsoft.comContent-Length: 23Content-Type: text/htmlCache-control: private
If an invalid P3P header is set, or a header that doesn’t state policy, Internet Explorer will by default accept the third-party cookies (this doesn’t happen in IE9). This is what the P3P header looks like for google.com:
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Not mentioned in the Microsoft article is that Facebook are also setting an invalid header (‘invalid’ may not be the right terminology here, but they are setting a header that does not contain valid privacy policies). This results in Internet Explorer (pre version 9) accepting the third-party cookies.
$ nc facebook.com 80GET / HTTP/1.1Host: www.facebook.comHTTP/1.1 302 FoundLocation: http://www.facebook.com/common/browser.php**P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"**Set-Cookie: datr=FxdDTzq9li7A7DRTAxVSXaZN; expires=Thu, 20-Feb-2014 04:01:27 GMT; path=/; domain=.facebook.com; httponlyContent-Type: text/html; charset=utf-8X-FB-Debug: 8V3X/HiIi+1PrEZFy4c8LpavYxpBvnsojJ+pcYyGJUg=X-Cnection: closeDate: Tue, 21 Feb 2012 04:01:27 GMTContent-Length: 0
The reason Facebook gives for this header in the page that is linked from it is:
The organization that established P3P, the World Wide Web Consortium, suspended its work on this standard several years ago because most modern web browsers do not fully support P3P. As a result, the P3P standard is now out of date and does not reflect technologies that are currently in use on the web, so most websites currently do not have P3P policies.
Microsoft explicitly called out Google for their behaviour but either neglected to mention or didn’t investigate Facebook (skeptics may believe that this is because of Microsoft’s shareholding in Facebook and their partnerships in search and advertising (HT ask4n)).
If Google is being asked to set proper P3P headers (and it appears that they have already altered at least some of their servers) then Facebook should also he held to the same standard.
Survey of other sites
I looked up the Shodan Research HTTP archive to estimate how many other sites are bypassing Internet Explorer privacy controls for third-party cookies by setting an invalid P3P policy.
The database contains all the HTTP headers for the top 10,000 websites according to Alexa. The relevant headers (P3P, p3p, etc.) show that almost 500 sites are setting invalid P3P headers – almost a full 5% of the top 10,000 web servers surveyed.