SitePoint Sponsor

User Tag List

Results 1 to 10 of 10

Thread: P3P How to

  1. #1
    SitePoint Enthusiast Setac's Avatar
    Join Date
    Nov 2000
    Location
    San Marcos CA
    Posts
    83
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    With IE6 coming out with P3P implemented I need to bring several of my sites that use cookies up to date. Has anyone seen a good quick and dirty how to on coding a P3P policy into the web site?

    Alan
    Dynamic HTML - Is that a Frisbee based language...

  2. #2
    I believe you have my stapler. scrubz's Avatar
    Join Date
    Feb 2001
    Location
    Van down by the river
    Posts
    254
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I wouldn't necessarily say it's quick and dirty, but check this out:

    http://www.w3.org/P3P/details.html

  3. #3
    SitePoint Enthusiast Setac's Avatar
    Join Date
    Nov 2000
    Location
    San Marcos CA
    Posts
    83
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks scrubz.

    I had seen that and was hoping for something more basic.

    I have yet to find it. I'm going through the process of learning how to get all of a P3P policy done and implemented. I downloaded the IBM Editor and finally got it running. Then I got a policy written. Between the w3.org pages and the IBM Editor help I got it figured out. It is not as complex as they make it sound. Things like the 'Well Known Location' being repeatedly referred to drove me crazy. I finally stumbled across what they meant in a help file. It would have been much easier if I had been told 'put everything in a w3c folder and things this and this. Oh well...

    If any one else wants this info, I have it now. If there is enough interest I will post on the company web site.
    Dynamic HTML - Is that a Frisbee based language...

  4. #4
    SitePoint Zealot
    Join Date
    May 2000
    Posts
    150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by Setac
    If any one else wants this info, I have it now. If there is enough interest I will post on the company web site.
    Hello Setac!

    I would be very interested! Esp. how you are integrating it with your site.

    Arpith

  5. #5
    SitePoint Enthusiast Setac's Avatar
    Join Date
    Nov 2000
    Location
    San Marcos CA
    Posts
    83
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi arpith,

    I put the actual steps I've been through so far on my site at:
    MySite

    I just got a policy written. My plan for implementation is use one of my small client's sites that uses cookies. I plan to install the basic policy file in the "well known location" (siteroot/w3c/p3p.xml) without making any change to the present pages. Initially I will avoid supplying the support pages, the human version of the policy, a dispute resolution page, etc. I'll include the references in the policy, just omit the actual pages from the site for now.

    Once the policy is installed I'll see if it affects MSIE 5.x browsers. If so I'll remove it and move testing to a lab server in-house.

    Then I'll browse the site with MSIE 6 beta. I want to see what type of on screen messages I am getting with various settings in the MSIE6. Once I have that information, I'll remove the policy and see what MSIE6 does. I am curious if I will start to see 404's reported in the site logs from MSIE6 requests for policy info if it is not there. Once I have that information I'll decide what to do next.

    From the rhetoric I am reading on how poorly P3P will protect people, I am assuming I can create a policy file that will allow me to retrieve the data I need without complaints from the browser. From my study so far, I have not found anything to keep one from lying when they create their policy. I expect that to push reputable sites into using 3rd party verification and site approval seals. But there does not appear to be serious security to keep one from creating their own Seals and 3rd party verification systems. I would expect this to force the creation of laws to allow some type of enforcement of privacy policies. Hopefully it will take years for the politicians to catch up.

    Alan
    Dynamic HTML - Is that a Frisbee based language...

  6. #6
    SitePoint Zealot
    Join Date
    May 2000
    Posts
    150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Alan!

    Thanks a lot for that info. I will be downloading ibm's p3p editor.

    However, I don't understand the process completely :-(

    I would like to use cookies on the site, to store the username, session id and perhaps a few other items (temporary variables).

    How do I go about implementing this? Where do I specify the acceptable cookies, and an explaination of their data? Do I need to explain temporary cookies too?

    Or am I completely wrong here :-)

    Thanks,
    Arpith

  7. #7
    SitePoint Enthusiast Setac's Avatar
    Join Date
    Nov 2000
    Location
    San Marcos CA
    Posts
    83
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Until I have the MSIE 6 browser up, I do not completely understand either.

    The cookie handling and the P3P can be seperate on the design side. As I understand the MSIE6 browser will look for a P3P policy. When you save or request cookie info, the browser wants to know what type of info you are saving or requesting before supplying it. All it can really know is what you tell it. So, when you request a cookie named "secretinfo" or whatever you have named it, it will have to look at your policy to see what you have said this info is. So, you have to ID the data or give it a class of data. Then MSIE6 or other P3P standard compliant browser will use what you told it and the user's settings to decide if it should give it out or not.

    Obviously, most sites will not have P3P policies when MSIE 6 is released. So, cookies as used on most sites and without P3P policies have to be handled. I doubt MS would want to break all the e-com sites out there that use cookies. I assume it will be pretty lax in the beginning. P3P is not a have to right now.

    Once you have the Editor and the Help files for it, this will make more sense. The problem here is not a lack of information. For me it is that there is so much I can't find the basic stuff I want. Plus everything is in development and buggy. Like they don't tell you the IBM Editor will not work with just MS JScript, you have to have a real Java Environment for it to work.

    Let me know how it goes. Alan
    Dynamic HTML - Is that a Frisbee based language...

  8. #8
    SitePoint Zealot
    Join Date
    May 2000
    Posts
    150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Alan,

    I did take a look at ie6. I think most sites with cookies are working fine.

    Only 3rd party cookies will have a problem-- but thats only limited to 3rd party providers such as Ad servers, and shouldn't be a problem to most people who develop sites that use a single domain.

    I think when a site requests/sends a cookie, IE looks for a p3p policy. However, whether the policy file is present or not, it allows the cookie to be set.

    If the policy file is absent, it shows a small (alert) icon on the status bar, but I don't think it affects the cookies.

    Any ideas?

    Regards,

  9. #9
    SitePoint Enthusiast Setac's Avatar
    Join Date
    Nov 2000
    Location
    San Marcos CA
    Posts
    83
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    arpith,
    True, the third-party cookies are the BIG concern.

    But, MS says cookies are "unsatisfactory" that request personally identifiable data. MS says "By default, unsatisfactory cookies in the first-party context are deleted when the browsing session ends and rejected in the third-party context."

    I understand that first-party cookies are from the primary site. So, I could have problems saving info from secession to secession. This would also mean that cookies appear to work while one is on the site. But, closing the browser would delete the cookies.

    Additionally, MS says, "If a user visits www.wideworldimporters.com over a secure connection using Secure Hypertext Transfer Protocol (HTTPS), content on the page that is not using HTTPS is considered third-party content." Does that mean that cookie data set outside the HTTPS is third-party and probably not accessible from the HTTPS pages or is cookie data set in a HTTPS page probably not available to non HTTPS pages?

    I wont get a working IE6 until this weekend. After reading MS material I get head aches. I have to try it before I am sure I understood what they wrote.

    The news group for the IE6 public beta has people asking about cookie problems at various types of sites. These seem to be few but then not many people trying the IE6 know about the news groups.

    I am wondering how IE6 will know what data is 'unsatisfactory' if there is no P3P privacy policy on the site. So, what happens to undefined cookies? If undefined cookies could be used, why would anyone care what the standard is? It would be most simple to ignore it in that case. So, I suspect they will make it a problem.

    I'm mostly concerned about my client sites that have give-a-ways and free samples. I use cookies to track who has already requested samples and who has not. Once a sample request has been completed and sumitted a cookie is loaded with a varable holding a date. As long as that varable is in the cookie, the pages omit the free sample references. I would hope that a date could not be identified as personally identifiable data and ruled unsatisfactory. I guess I'll find out.

    Alan
    Dynamic HTML - Is that a Frisbee based language...

  10. #10
    SitePoint Zealot
    Join Date
    May 2000
    Posts
    150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hello Alan,

    I'm not sure that first party cookies are killed upon closing the browser. It seems to be working fine on my test site.

    Ie6 is such a pain! I don't know if it really offers all that much from the previous versions (my latest was 5.0)... It keeps crashing on me whenever I close it (of course its just a beta version). It does have a handy "Delete All Cookies" button.

    Arpith


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •