W3C home > Mailing lists > Public > www-p3p-dev@w3.org > December 2005

Re: Cleint P3P Problem

From: Lorrie Cranor <lorrie@cs.cmu.edu>
Date: Wed, 30 Nov 2005 21:31:29 -0500
Message-Id: <D5DCD3EC-0143-48AB-8DC9-8468E4B599EF@cs.cmu.edu>
Cc: www-p3p-dev@w3.org
To: Scott Wagner <scottietrek@alltel.net>

A P3P-enabled web site may place a compact P3P policy in the HTTP  
header transmitted when a cookie is set. A client that is reading the  
HTTP headers will see it there. All it has to do is grab it and parse  
it. There is no P3P cookie... normal cookies are used with P3P. The  
P3P specification explains what all the tokens in the P3P compact  
policy header mean.

Lorrie Cranor

On Nov 30, 2005, at 11:47 AM, Scott Wagner wrote:

> Ok I get it so what do you do when there is a set cookie in the  
> P3P. How does the Client get the cookie from the server in P3P. I  
> have read alot of info on this but your explanation was the best. I  
> just would like to know what the Client does to get the cookie from  
> the P3P portion of this. Yahoo is not just the example but the  
> reason I am writing my software. P3P cookies are becoming more and  
> more popular. With that in mind Software developers will need to  
> know how to handle the P3P cookie. So if so one could let me know  
> what in the code. How the client handles P3P that would be great.
> Thank You
> Scott Wagner
> On Nov 30, 2005, at 8:04 AM, Rigo Wenning wrote:
>> Scott,
>> I still think you have some wrong expectations with respect to the  
>> P3P
>> Protocol. This is all described in section 2 of the P3P 1.0
>> Specification: http://www.w3.org/TR/P3P/
>> So your first misunderstanding is that you seem to assume that you  
>> can
>> tell yahoo how to use your information. This is not the paradigm of
>> P3P. In P3P, it is on yahoo to tell you what they will do with the  
>> data
>> and it is on you to accept that or surf elsewhere. So you can base  
>> your
>> decision (go/block) on the P3P data that you received from yahoo or
>> just continue the http GET interaction and disregard the whole P3P
>> information given in the header.
>> The P3P protocol is kind of passive (for privacy reasons). This means
>> that the service (yahoo in your example) will announce its privacy
>> practices using the P3P format. There are two formats (both  
>> implemented
>> by yahoo) one being the compact format. But if you analyze the  
>> header,
>> you'll see that there is also a link to the Policy reference file
>> indicating the policy for yahoo in full XML. In those files but  
>> also in
>> the tokens, yahoo tells you what they will do if you give them your
>> name or email-address.
>> Their policy is actually not very fine grained. They tell in this  
>> policy
>> that they collect everything and that they give it away to everybody
>> and that they identify you.
>> So next step in this exchange would be that you tell us what you  
>> want to
>> try to achieve. This way we can help you with the P3P part of it.  
>> Just
>> to fetch a page, you won't need P3P. You need P3P if you want to base
>> your decisions whether to accept cookies or continue surfing on  
>> the P3P
>> metadata given by a service. And no, you don't need to send any P3P
>> information/strings back to the yahoo server
>> Best,
>> Rigo Wenning
>> Privacy Activity Lead
>> Am Wednesday 30 November 2005 05:25 verlautbarte Scott Wagner :
>>> Ok Jeff was a help in the fact the he helped me get my problem in
>>> order. I  am writing a program(That will Mimic IE 6) that will be  
>>> P3P
>>> compliant. problem Example:
>>> I go to http://www.yahoo.com/ before i get the page the yahoo server
>>> asks me for my Privacy Policy in Compact Policies format. ie(Server
>>> header: P3P=policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO  
>>> DSP
>>> HEA PRE GOV") Now i need to know the header format for the return of
>>> my privacy policy In CP format.
Received on Thursday, 1 December 2005 02:31:44 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:49:16 UTC