How PHP leverages P3P to implement Cross-domain _php techniques

Source: Internet
Author: User
Tags ip number setcookie

Different from JS Cross-domain, IFrame Cross-domain, and other common processing methods, can also use P3P to achieve cross-domain.

What's P3P?
P3P (Platform for privacy Preferences) is a privacy protection recommendation published by the Consortium to provide privacy protection for users.

The idea of the P3P standard is that a Web site's privacy policy should tell visitors what type of information the site collects, information will be provided to whom, how long the information will be retained, and how the information is used, such as "The site will monitor the pages you visit to improve site usage" or " This site will provide you with as much appropriate advertising as possible "and so on. Users who access the P3P Web site have permission to view the site's privacy report and then decide whether to accept cookies or use the site.

How to use P3P to implement cross-domain
In the development, we encountered the Cross-domain main or tangled in IE, the page of the IFRAME or frame or JS cross-domain, IE has security policy restrictions page without cookies, but if we add P3P, there is no limit to this strategy. This is also a feasible prerequisite for P3P to break through the cross-domain.

The following are examples of excerpts:
http://www.a.com/a_setcookie.php File Contents:
<?php Setcookie ("Test", $_get[' id '), time () +3600, "/", ". a.com");?>
http://www.a.com/a_getcookie.php File Contents:
<?php Var_dump ($_cookie);?>
http://www.b.com/b_setcookie.php File Contents:
<script src= "http://www.a.com/a_setcookie.php?id=www.b.com" ></script>
Access via browser:

Copy Code code as follows:

1?> http://www.b.com/b_setcookie.php
2?> http://www.a.com/a_getcookie.php

After accessing the 1 B.Com domain, we did not set the cookie value on the 2 a.com domain discovery.
Change the contents of the http://www.a.com/a_setcookie.php file to read as follows:
Copy Code code as follows:

<?php
Header (' p3p:cp= "cura ADMa DEVa Psao psdo We bus UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"];
Setcookie ("Test", $_get[' id '), time () +3600, "/", ". a.com");
?>

Visit again:
http://www.b.com/b_setcookie.php
http://www.a.com/a_getcookie.php
After accessing the B.Com domain, the cookie value for the a.com domain is set.
From the example above, you can see the cross-domain that is implemented by sending P3P header information. (P3P can also be successful across domains without sending the Firefox)

PHP uses the P3P protocol

Copy Code code as follows:

Header (' p3p:cp= "cura ADMa DEVa Psao psdo We bus UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"];

JS uses P3P protocol
Copy Code code as follows:

Xmlhttp.setrequestheader ("P3P", "cp=" cura ADMa DEVa Psao psdo our bus UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR "' );

explanation of P3P's head parameters
Reference:
Copy Code code as follows:

P3P Header is present:
cp= "Cura ADMa DEVa Psao psdo our bus UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Compact Policy token is present. A trailing ' o ' means opt-out, a trailing ' I ' means opt-in.

Cura
Information is used to complete the activity for which it was provided.

Adma
Information may is used for the technical support to the WEB site and its computer system.

DEVa
Information may is used to enhance, evaluate, or otherwise review the site, service, product, or market.

Psao
Information may are used to create or builds a record of a particular individual or computer this is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or e-mail address) to the record. This is used to determine the habits, interests, or other characteristics of individuals for purpose of RESEA RCH, analysis and reporting, but it is not being used to attempt to identify specific.

Psdo
Information may are used to create or builds a record of a particular individual or computer this is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or e-mail address) to the record. This is used to determine the habits, interests, or other characteristics of individuals to make a decision T Hat directly affects that individual, but it won't be used attempt to identify to specific.

Our
We share information with ourselves and/or entities acting as we agents or entities to whom we are acting as an agent.

Bus
Info is retained under a service provider ' s stated business practices. Sites must have a retention policy that establishes a destruction time table. The retention policy must is included in or linked from the site ' s human-readable privacy.

UNI
non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or rec Ognizing the individual. These include identifiers issued by a Web site or service.

Pur
Information actively generated by the purchase of a product or service, including information about the "method of payment."

Int
Data actively generated from or reflecting explicit interactions and a service provider through its site--such as Queri Es to a search engine, or logs the account activity.

Dem
Data about a individual ' s characteristics-such as gender, age, and income.

Sta
Mechanisms for maintaining a stateful sessions with a user or automatically recognizing users who have visited a particular Site or accessed particular content previously--such as HTTP cookies.

PRE
Data about an individual ' s likes and dislikes--such as favorite color or musical tastes.

Com
Information about the computer system that the individual are using to access the network--such as the IP number, domain Name, browser type or operating system.

NAV
Data passively generated by browsing the WEB site--such as which pages are visited, and how long users stay on each page .

Otc
The other types of data is captured by the above definitions.

NOI
Web Site does not collected identified data.

Dsp
The privacy policy contains disputes elements.

COR
Errors or wrongful actions arising in connection with the privacy policy would be remedied by the service.


PS, the Cross-domain is basically to set the situation of cookies, if it is a cross-domain read cookies, to ensure that the corresponding set of cookies set the P3P, otherwise in the read things IE will mask cross-domain cookies.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.