P3P 1.0
was designed to associate XML-encoded privacy policies with URIs,
sets of URIs, or cookies. P3P 1.0 it well suited for use with HTML
and XHTML content transmitted over [HTTP] . However,
P3P 1.0 cannot be used in situations where content is not associated
with a URI, for example, some applications of Web Services and XMLP/Soap. In addition,
P3P 1.0 cannot be used in situations where policies apply to only a
subset of the content associated with a given URI. For example,
while P3P 1.0 can be used to apply a P3P policy to an entire form
specified by XForms, it
cannot be used to apply the policy to only a single form field.
The P3P 1.1 Specification provides a new binding mechanism to
allow for increased granularity beyond the URI level and to allow
policies to apply to content not associated with a URI. The new
mechanism takes the form of a generic attribute (similar to
xml:lang)
that binds a P3P policy to an XML element.
A P3P policy referenced by the P3P generic attribute MUST apply to all data collection performed as a result of processing the element carrying the P3P Generic Attribute. The policy also MUST describe all data collection performed as a result of the processing of all subelements.
For all XML applications in which the P3P Generic Attribute is to be used, the attribute MUST be imported into the relevant XML schema.
If the element is re-used by mechanisms such as XInclude or the SVG <use> Element, the Policy applies also in the new context where the element is re-used. The policy is sticky to the element from which it is referenced.
The P3P Generic Attribute is designed for use in XML elements that describe interfaces, not XML elements that encode user data. Thus, it is meaningful to use the P3P Generic Attribute to associate a P3P policy with a blank form or form field. The semantics of such an association are that any data entered into the form will be processed in a manner consistent with the P3P policy. It is not meaningful to use the P3P Generic Attribute to associate a P3P policy with data a user has entered into a form.
The P3P Generic Attribute MUST NOT be used in applications, such as RDF, that do not have a tree structure because its semantics relies on the concept of subelements. In the case of RDF, one of the other three binding mechanisms described in 2. Referencing Policies may be used, as RDF makes use of URIs.
The P3P generic attribute takes a URI of a valid P3P 1.1 policy as its value. The P3P generic attribute MUST NOT reference a P3P
Policy Reference File.
| [19] | p3pattr |
= |
`p3pattr=`p3p:p3p="`
quoted-URI
`"`
`xmlns:p3p="http://www.w3.org/2004/02/P3Pv11" `
|
Here is an example of how the P3P attribute might be used with WSDL.
<?xml version="1.0"?>
<definitions xmlns="http://www.w3.org/2003/11/wsdl"
xmlns:myns="http://example.org/myservice"
xmlns:mytypes="http://example.org/myservice-types"
xmlns:p3p="http://www.w3.org/2004/02/P3Pv11"
xmlns:soap="http://www.w3.org/2003/06/wsdl/soap12"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://example.org/myservice" >
<documentation>
Sample service definition showing the use of the P3P generic attribute
</documentation>
<types>
<xs:import namespave='http://example.org/myservice'/>
</types>
<interface name="Interface">
<operation name="Operation"
pattern="http://www.w3.org/2003/11/wsdl/in-out">
<input message="mytypes:commentReq"/>
<output message="myntypes:commentResp"/>
</operation>
</interface>
<binding name="Binding" interface="myns:Interface">
<soap:binding protocol="http://www.w3.org/2003/05/soap/bindings/HTTP/"/>
</binding>
<service name="Service" interface="myns:Interface"
p3p:p3p="http://example.com/p3p-pol3.xml" >
<endpoint name="Endpoint1" binding="myns:binding">
<soap:address location="http://ws.example.org/myservice" />
</endpoint>
</service>
</definitions>