W3C home > Mailing lists > Public > www-p3p-policy@w3.org > November 2001

Re: Another P3P, IE6, 3rd party question

From: Lorrie Cranor <lorrie@research.att.com>
Date: Tue, 20 Nov 2001 20:52:20 -0500
Message-ID: <001901c1722f$29607060$3e06cf87@research.att.com>
To: <graeme@i7.com.au>, <www-p3p-policy@w3.org>
Graeme wrote:


> Our banner advertising company has contacted us about implementing P3P for
> ou ads which is nice. We were going to implement P3P anyway so this is a
> nice way to kill 2 birds with 1 stone.
>
> However, our ad company wants us to send them the PRF, CP and full P3P
> policy which I find a bit odd.  Since the ad company is going to have to
> send the CP in the headers anyway, is it feasible for them to point to the
> PRF on our servers so we can host both that and the full policy document
> ourselves? I haven't read to much about 'cross-domain' P3P stuff.

It is probably feasible to have them point to the PRF on your servers,
however, you might want to have a special PRF just for this purpose
(seperate from the PRF for your own servers). The reason for this
is that the <INCLUDE> elements in the PRF indicate the URIs to which
a particular policy applies. These are relative URIs interpreted relative
to the DNS host that referenced the PRF.  So, let's say that a request
is made for http://i7ads.adplace.com/ad3.gif and a P3P header
is served indicating that the PRF is at http://i7.com.au/w3c/p3p.xml
Let's say that you have one P3P policy for your entire site, so the PRF
contains the statement <INCLUDE>/*</INCLUDE>. Then when ad3.gif
is fetched, fetching the PRF will apply your policy to everything on
i7ads.adplace.com. If in fact everything on that server belongs to
you, that might not be a problem (and it sounds like in your case that
is probably true). But if your ad company doesn't have a dedicated
host for you, and instead your ad was say at
http://ads.adplace.com/i7/ad3.gif, then you would not want your policy
applied to everything on that host. Instead you would probably
want something like <INCLUDE>/i7/*</INCLUDE>

Also, note that another option would be for the PRF to live
on the ad company's server and the policy file to live on your
server.

> Also, in that case would it also be feasible to then place a <HINT> tag in
> our PRF to point back to the ad company's PRF which indicates our privacy
> policy applies to their ads. Does IE6 know about and follow these hints?

You can use the HINT mechanism, but not to point to
a PRF on a different host than the resource to which the
policy applies. Also, this mechanism has not been implemented
in the current release of IE6 (which came out before we finalized the HINT
mechanism).

> So to summarise...
> Us: i7.com.au
> Ads: i7ads.adplace.com (name changed for some sort of protection)
>
>
> i7ads.adplace.com sends header
> policyref="http://i7.com.au/w3c/p3p.xml", CP="XX XX XX XX XX"
>
> i7.com.au PRF contains
> <HINT domain="i7ads.adplace.com" path="/w3c/p3p.xml">

Only if the p3p.xml file lives on 17ads.adplace.com

> Have I got this right? Can anyone give me a hint as to what the PRF for
> i7ads.adplace.com might contain in order to say that their ads use our
> privacy policy?

Just put the URI of your privacy policy in the about field.

> This is an expanded version of Scenario 3  in Sept 2001 P3P draft. Since
> it's a commercial ad hosting company I suspect that there is actually more
> to this since the data collected is used for purposes other than serving
> ads and therefore the ad company must create its own P3P policy and serve
> that with the ads. This is basically Scenario 7 in the draft.

You have to decide one way or the other. Either your policy applies
or the ad company's policy applies. You can't have both.

Regards,

Lorrie Cranor
Received on Tuesday, 20 November 2001 20:52:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 17 January 2012 12:13:10 GMT