zoukankan      html  css  js  c++  java
  • A Quick Look at P3P

    P3P Made Simple

    By default, IE will reject cookies coming from 3rd-party contexts. A 3rd-party context is one where the domain on the content is different than the domain of the page that pulls in that content. Possible third-party contexts include pretty much any element that accepts a URL: <script>, <img>, <link>, <frame>, <iframe>, <audio>,<video>, et cetera. It also includes cross-domain XmlHttpRequests which attempt to send cookies when thewithCredentials flag is set.

    For instance, consider a webpage with a subframe, like this:

    image

    The 1st-Party Context is domain1.com and the 3rd-Party Context is domain2.com. By default, if the HTML content in the IFRAME tries to set a cookie, it will fail to do so. IE will behave as if the cookie from domain2.com doesn’t exist.

    Unfortunately, IE’s F12 Developer Tools won’t show a warning when this happens. In older versions of IE, you’d see a little “eye” icon in the IE status bar, but that was removed in IE9. Today, to see that a cookie has been rejected, you have to click View > Web Page Privacy Policy.

    image

    That command will show you a summary of what happened to cookies during the loading of the page. For instance, loading this blog post yields the following:

    image

    Declare Your Policy

    To get IE to accept cookies from your server in a 3rd-party context (or to get IE to resend a previously-set cookie toyour server when it is accessed in a 3rd-party context), you must declare the privacy policy that governs how your cookies will be used. That declaration takes the form of a P3P header on the HTTP response (or, less commonly, a META tag with the same content).

    For instance, this blog sends the following:

    P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

    Each token in the Compact Policy (CP) attribute has a particular meaning that explains in a machine-readable way how the cookie will be used. Fiddler’s Cookies Response Inspector breaks down the policy into English (well…legalese, at least :-)

    image

    Upon receiving a cookie, IE will automatically the cookie’s privacy policy to the user’s configured preferences when deciding whether or not to accept, restrict, or block the cookie.

    The P3P statement must be provided by the 3rd party content. In our example:

    image 

    …when the subframe tries to set a cookie, IE only considers the P3P statement from domain2.com. Adding a P3P statement to domain1.com will NOT change the cookie handling for the subframe.

    A P3P statement is a legal declaration of how your cookie will be used. You shouldn’t just throw “whatever works” into a P3P header, or you might find yourself in violation of national privacy laws and/or subject to civil lawsuits.

    From: http://blogs.msdn.com/b/ieinternals/archive/2013/09/17/simple-introduction-to-p3p-cookie-blocking-frame.aspx

  • 相关阅读:
    POJ4046 Sightseeing
    SGU 298. King Berl VI
    POJ1741 Tree
    POJ1639 Picnic Planning
    POJ1635 Subway tree systems
    [JSOI2008]最小生成树计数
    ftrace使用简介(三)
    make: *** 没有规则可以创建目标"menuconfig". 停止
    编译linux内核(ftrace)
    vim 缩进配置
  • 原文地址:https://www.cnblogs.com/vincentDr/p/3656177.html
Copyright © 2011-2022 走看看