About the simple p3p policy and browser support.

Source: Internet
Author: User
Tags form post
The summary part is taken from a book about p3p privacy policy. The detailed table is from w3.org. the test data is tested by myself. If any omission or error occurs, please confirm. Related Resources: 1. http://www.w3.org/P3P/ 2. http://www.w3.org/TR/2002/REC-P3P-20020416/


Brief description:


In essence, The p3p policy is composed of answers to a series of multi-choice questions.Therefore, it does not always contain much information details as a human-readable privacy policy (for example, a policy written in English or some other spoken language is used for reading, instead of being recognized by computers ). The standard format of the p3p policy makes it easy to automatically process. Same, The p3p specification also contains the protocol used to request and transmit the p3p policy. The HTTP protocol used by p3p protocol is the same as that used by Web browsers to communicate with Web servers.. As shown in 1-1, the p3p User Agent obtains the reference file of the p3p policy from a well-known place on the web site using standard HTTP requests and sends them to the requesting user. This policy reference file specifies the position of the p3p policy file applied to each part of the web site. The whole site may apply only one policy, or the different parts of the website may apply several policies respectively. In this way, the user agent can obtain the appropriate policy based on the user's choice, parse it, and take corresponding actions P3p also allows the site to place policy reference files elsewhere. In these cases, the site must use a specific HTTP header when declaring the location of the file referenced by the policy, alternatively, an L I n k mark is embedded in the h t m l file that applies the p3p policy. You can use a specific HTTP header to transmit an optional p3p concise policy at any time. The concise policy is a short summary of the complete p3p policy. It only describes the data processing methods related to cooki E and does not require the complete performance of the p3p policy.     How to make the web site support p3p:
From a technical point of view, it is easy to make the web site support p3p. However, it requires network operators to look at the data processing methods more carefully than before, and require them to coordinate the policies and processing methods of Various hosts in the domain. The following describes how to enable the site to support the p3p technology. 1. Create a privacy policy.
2. Analyze cookie usage and third-party content on your site.
3. determine whether to apply an p3p policy to the entire site or apply different p3p policies to different parts of the site.
4. Create one or more p3p policies for the site.
5. Create a policy reference file for the site.
6. Configure the server for p3p.
7. Test the site to make sure it does support p3p. Most websites that support p3p place an p3p policy reference file on each server and place one or more p3p policies on the central server. These sites will also configure their servers as a concise policy for sending p3p when you set cooki E. The p3p policy includes the following information: ● how to contact a company, organization, or individual that owns the site.
● Can the user search for personal information stored in the database of the site.
● How to resolve privacy disputes with websites (such as customer service desks, privacy seals, and privacy-related laws ).
● Types of collected data.
● Usage of collected data, and whether the user can choose to accept or reject these purposes.
● Whether the information will be shared and when it will be shared, and whether the user has the right to choose.
● Periodically clears collected user information. There are many software tools to help Web site developers develop sites that support p3p. For the latest p3p tool list, visit http://p3ptoolbox.org/tools/ and http://www.w3.org/P3P/implementations/ HTTP Response Header corresponding to the concise policy:


Related Resources: Http://www.w3.org/2002/04/P3Pv1-header.html   Compact policies (Concise policy)
A concise policy is essentially a Summary of the p3p policy. their role is to enable the user agent to quickly and quickly obtain the site's p3p policy information, which is beneficial to performance. to thoroughly explain the concise strategy, follow the p3p1.0 [4] norms to list the following restrictive syntaxes:

Compact-policy-field = 'cp = "'compact-policy '"'

Compact-policy = compact-token * ("" Compact-token)

Compact-Token = compact-access |

Compact-disputes | compact-remedies | compact-non-identifiable | compact-purpose | compact-recipient | compact-retention | compact-categories | compact-test Compact-Access = "Noi" | "all" |" Cao "|" IDC "|" Oti "|" Non"

Compact-disputes = "DSP"

Compact-remedies = "Cor" | "mon" | "law"

Compact-non-identifiable = "NID"

Compact-Purpose   = "Cur" | "ADM" [creq] | "Dev" [creq] | "Tai" [creq] |
" PSA "[creq]   | "PSD" [creq] | "IVA" [creq] | "IVD" [creq] | "con" [creq] | "his" [creq] | "tel "[ creq] | "OTP" [creq] creq = "A" | "I" | "O" Compact-recipient =" Our "|" Del "[creq] |" Sam "[creq] |" unr "[creq] |
"Pub" [creq] | "OTR" [creq] compact-retention = "nor" | "STP" | "Leg" | "bus" | "IND"

Compact-Category = "phy" | "onl" | "uni" | "pur" | "fin" | "com" |

"Nav" | "int" | "dem" | "CNT" | "sta" | "pol" |
"Hea" | "pre" | "Loc" | "Gov" | "OTC" Compact-test = "TST"


The p3p header of our commonly used concise policy is-P3p: CP = CaO PSA our (In fact, CP =.. or any other value is acceptable)Corresponding:

Compact-Access: CaO-contact-and-other

Identified contact information and other identified data: access is given to identified online and physical contact information as well as to certain other identified data. Recognized contact information, and other identified data: online or real-world contact information, and some identified data, allow access. My understanding is: Allow access to confirmed information and data (allow third-party cookies to read and write)

Compact-purpose (objective): PSA-pseudo-analysis.This is not explained. The literal meaning is obvious, and the purpose is to perform identity verification and analysis.

Compact-recipient (receptor): Our-ours

Ourselves and/or entities acting as our agents or entities for whom we are acting as an agent: an agent in this instance is defined as a third party that processes data only on behalf of the service provider for the completion of the stated purposes. (e.g ., the service provider and Its Printing Bureau which prints address labels and does nothing further with the information We ourselves, and (or) Entities Act as our agents, or are the entities of our agents: in this case, agents are defined as related process data, represents the service provider, which is used to complete the services set by the provider. (as if a printing Board serves as a service provider to provide printing services. It is only responsible for printing tags, but will not do any further to relevant information) my understanding: who declares to use the relevant information. it is declared as a third party or as a proxy. third-party Cookies need to be operated. this is probably the meaning.

PS: other items are not listed. Based on the browser, only IE is supported. (chrome partially supports ). this fact. in-depth research is not necessary. if you are interested, you can go to the relevant link to view the document.



Use IE6 to describe the status and implementation of simple policies supported by the user agent:


  IE6 automatically checks the p3p concise policy of cooki e websites. You can also configure IE6 to filter cookies without a concise policy or concise policies that do not match their preferences. When a cookie is blocked, IE6 displays an "eye" symbol in the lower right corner of the browser. You can also select the Privacy Report (Privacy Report) command from the vi ew menu to allow IE6 to obtain the site's p3p policy and generate and display a readable version.  

For a large number of prompt feedback, It is very consistent with the p3p privacy policy, that is, the user agent should remind the user when appropriate.

Known problems:



IE6 third-party cookies have p3p headers (when the p3p concise policy is used) . Js has read and write permissions, but there is a bug in writing. that is, for a third-party page, if it is read for the first time. the p3p header does not have the write permission for Js. this page must be accessed for the second time and a third-party cookie operation exists on this page. of course, reading is always okay.

Safair3, it is hard to write third-party cookies even in post mode.   The safari4 + series have their own privacy policies, ignoring the existence of p3p: If it does not support p3p, its policy is. the browser is disabled by default. at this time, no cookie write permission is available for both JS and HTTP, but only the read permission is available. third-party cookie writing is allowed only when form post is performed. refer to the following Code : (Code in // www.a.com/test.htm)
If (safari4 or safari5 ){ VaR IFM = Document. createelement ('iframe '); IFM. Name = "postforcookie "; IFM. src = "about: blank "; Document. Body. appendchild (IFM ); VaR form = Document. createelement ('form '); Form.tar get = 'postforcookie '; Form. Action = '// www.php.com/test.php '; Document. Body. appendchild (form ); Cookie. setcookie = function (){ Form. Submit (); } }
  Assume that setcookie is a function used to write a third-party cookie. Then, they are hijacked under sacari4 and sacari5 to trigger the form submit in the Code. At this time, if/www.php.com/test.php has an operation for writing cookie.third-party cookies, the third cook. By default, browser testing of third-party cookies is not prohibited:


Disable third-party cookies in the following browsers and configure the simple p3p policy.     Under Firefox : After third-party cookies are disabled in Firefox, they are very direct. No matter HTTP or JS, they cannot read or write cookies.   Chrome: Chrome10 supports customizing whether to allow third-party cookies in the address bar: About: Flags. in earlier versions, you need to choose Options> advanced options> privacy-content Settings> intercept third-party cookies. for chrome9 and earlier Dev versions, after disabling third-party cookies through Option configuration, after the simple p3p policy is configured, JS can read but cannot write cookies, whereas HTTP can. chrome10 +, regardless of the method selected, only HTTP and JS reads are allowed, but write is not allowed. chrome's non-dev version does not even provide privacy policy options for third-party cookies. some are only the list of websites allowed to access cookies, or the cookies of websites that have been actively accessed. Opera: Use tools-preferences-advanced-Cookies-only accept cookies from my website to disable third-party cookies. the interesting thing about opera is that, when a third-party cookie is disabled, the p3p header is meaningless, while Opera's own privacy policy is very interesting. It allows JavaScript reads and writes and HTTP reads, however, HTTP is prohibited from writing cookies.




Browser Third-party cookies are allowed by default. Whether p3p is supported Effect of configuring the p3p concise policy header after disabling third-party cookies Supplement
IE6 No Yes

HTTP read/write cookie
JS readable cookie
The first time I read the p3p header, JS has no cookie write permission. The second time I got OK

(The second time. Direct cache does not work. Unless the first time the cache is not used and the p3p header is read. I will discuss the solution later .)

Avoid JS write operations
IE7-IE9 No Yes HTTP and JS can be read and written at will. -
Firefox Yes No Neither HTTP nor JS can be read or written. -
Chrome Yes Partially supported, trend-No The trend is HTTP and JS readable and not writable. -
Safari No No HTTP and JS readable and not writable Use post to submit a form for write operations.
Opera Yes No JS readable and writable
HTTP readable cannot be written.


1. in fact, the simple p3p policy can be abbreviated as: p3p: Cp =. that is to say, ie's support for the simple p3p policy is funny. NO content is read at all, at least for third-party cookie operations. 2. the implementation of IE6 has bugs. note. when you access a third-party page for the first time, JS cannot write a third-party cookie. we recommend that you avoid writing cookies in Javascript whenever possible. 3. to handle safari, You need to configure at least one app in the background to work with the foreground. 5.14 + unavailable .) 4. for a third party, we recommend that you avoid using JavaScript to operate on cookies. The cookie can be read at most, rather than written. unless it is related to logon verification, we recommend that you use storage instead of cookies. Finally:

If you want to use IE6 and use js to write cookies. so there is a very tragic approach .. the server can cache resource configurations. (including reverse proxy and client .) then try to refresh the page at IE6. in this case, OK. location must be used for Refresh. reload (false) ignores the Client Cache first. try to verify the Client Cache reliability on the 304 server side .. the advantage of doing so is. this ensures cookie writing. it is also guaranteed that if the page is a static resource. the availability of the reverse proxy .. otherwise, you can directly use dynamic resources and write them in http mode. note that. besides page refresh. for example, you can load page resources in other ways. try to pre-read its p3p concise policy header. is invalid. for example, you can use script type = "text/C" to pre-read the data once. if you have this idea. It's better to give up early.

PS: If IE6 JS does not support cookie writing, <meta charset = UTF-8/>. as for Mao, I don't know either .. only know, do not declare the encoding method. this may cause IE6 to fail to write the cookie bug after p3p is configured, and prompt that the privacy policy cannot be read .. balablabla's.


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.