change to non-ambiguity section of P3P spec

The following is the revised text for section 2.4.1 non-ambiguity of
P3P1.0, as adopted by the Specification
Working Group. This clarifies the precedence of 
multiple policy reference files.


2.4.1 Non-ambiguity

User agents need to be able to determine unambiguously
what policy applies to a given URI. Therefore, sites SHOULD
avoid declaring more than one non-expired policy for a given
URI. In some rare case sites MAY declare more than one
non-expired policy for a given URI, for example, during a
transition period when the site is changing its policy.
In those cases, the site will probably not be able to determine
reliably which policy any given user has seen, and thus it
MUST honor all policies. Sites MUST be
cautious in their practices when they declare multiple
policies for a given URI, and ensure that they can 
actually honor all policies simultaneously.


If a policy reference file at the well-known location declares
a non-expired policy for a given URI, this policy
applies, regardless of any conflicting policy reference files
referenced through HTTP headers or HTML link tags.

If an HTTP response includes references to more than 
one policy reference file, P3P user agents MUST ignore
all references after the first one.

If an HTML file includes HTML LINK tag references
to more than one policy reference file, P3P user
agents MUST ignore all references after the first one.

If a user agent discovers more than one non-expired
P3P policy for a given URI (for example because
a page has both a P3P header and a LINK tag that
reference different policy reference files, or because
P3P headers for two pages on the site reference
different policy reference files that declare different
policies for the same URI), the user agent MAY
assume any (or all) of these policies apply as the
site MUST honor all of them.

Received on Tuesday, 3 April 2001 17:50:11 UTC