PHP leverages P3P for cross-domain

This article turns from: point here

Different from JS cross-domain, IFRAME cross-domain and other common processing methods, can also use P3P to achieve cross-domain.

What is P3P?

P3P (Platform for Privacy Preferences) is a recommended standard for privacy protection published by the public to provide privacy protection for users.

The idea of the P3P standard is that the privacy policy of the WEB site should inform visitors about the types of information that the site collects, what information will be provided to whom, how long the information will be retained and how much information is used, such as the site should do such as "This site will monitor the pages you visit to improve site usage" or " This site will provide you with the best possible advertising "and other statements." Users who visit the support P3P website have the right to view the site Privacy report and then decide whether to accept cookies or use the site.

How to use P3P to implement cross-domain

In the development, we encounter the cross-domain is mainly tangled in IE, the page iframe or frame or JS cross-domain, IE has a security policy limit page without cookies, but if we add P3P, there is no restriction of this strategy. This is also the P3P to break through the cross-domain feasible premise.

The following are examples of excerpts:

http://www.a.com/a_setcookie.php File Contents:
<?php Setcookie ("Test", $_get[' id '], time () +3600, "/", ". a.com");?>
http://www.a.com/a_getcookie.php File Contents:
<?php Var_dump ($_cookie);?>
http://www.b.com/b_setcookie.php File Contents:
<script src= "http://www.a.com/a_setcookie.php?id=www.b.com" ></script>
Access via browser:
1?> http://www.b.com/b_setcookie.php
2?> http://www.a.com/a_getcookie.php
After accessing the 1 B.Com domain, we did not find the cookie value set on the 2 a.com domain.

Change the contents of the http://www.a.com/a_setcookie.php file to read as follows:
<?php
Header (' p3p:cp= ' CURa ADMa DEVa Psao psdo our BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR "');
Setcookie ("Test", $_get[' id '), time () +3600, "/", ". a.com");
?>
Visit again:
http://www.b.com/b_setcookie.php
http://www.a.com/a_getcookie.php
After accessing the B.Com domain, set the cookie value for the a.com domain.

From the example above, we can see the cross-domain implemented by sending P3P header information. (P3P can be successful across domains if Firefox does not send it)

PHP uses the P3P protocol

header(‘P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"‘);

JS using P3P protocol

xmlhttp.setRequestHeader("P3P" , ‘CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"‘);

P3P explanation of the head parameters

Reference:

P3P Header is present:
cp= "CURa ADMa DEVa Psao psdo our BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Compact Policy token is present. A trailing ' o ' means opt-out, a trailing ' I ' means opt-in.

CURa
Information is used to complete the activity for which it was provided.

Adma
Information may is used for the technical, the WEB site and its computer system.

DEVa
Information may is used to enhance, evaluate, or otherwise review the site, service, product, or market.

Psao
Information may used to create or build a record of a particular individual or computer that's tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile would be used to determine the habits, interests, or other characteristics of individuals for purpose of RESEA RCH, analysis and reporting, but it'll is not being used to attempt to identify specific individuals.

Psdo
Information may used to create or build a record of a particular individual or computer that's tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile would be used to determine the habits, interests, or other characteristics of individuals for make a decision T Hat directly affects that individual, but it'll not be used to attempt to identify specific individuals.

Our
We share information with ourselves and/or entities acting as our agents or entities for whom we is acting as an agent.

BUS
Info is retained under a service provider ' s stated business practices. Sites must has a retention policy that establishes a destruction time table. The retention policy must is included in or linked from the site ' s human-readable Privacy policy.

UNI
non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or rec Ognizing the individual. These include identifiers issued by a Web site or service.

Pur
Information actively generated by the purchase of a product or service, including information is about the method of payment.

Int
Data actively generated from or reflecting explicit interactions with a service provider through its site--such as Queri Es to a search engine, or logs of the account activity.

Dem
Data about an individual ' s characteristics--such as gender, age, and income.

Sta
Mechanisms for maintaining a stateful session with a user or automatically recognizing the WHO has visited a particular Site or accessed particular content previously--such as HTTP cookies.

PRE
Data about an individual ' s likes and dislikes--such as favorite color or musical tastes.

Com
Information about the computer system, the individual are using to access the network--such as the IP number, domain Name, browser type or operating system.

NAV
Data passively generated by browsing the WEB site--such as which pages is visited, and how long users stay on each page .

Otc
Other types of data is captured by the above definitions.

NOI
Web Site does not collected identified data.

Dsp
The privacy policy contains disputes elements.

COR
Errors or wrongful actions arising in connection with the privacy policy would be remedied by the service.

PS, where the cross-domain is mainly set cookies, if the cookie is read across the domain, to ensure that the corresponding setting of the cookie set P3P, otherwise in the read things IE will block the cross-domain cookie.

PHP leverages P3P for cross-domain