- From: Lorrie Cranor <lorrie@research.att.com>
- Date: Tue, 20 Nov 2001 20:52:20 -0500
- To: <graeme@i7.com.au>, <www-p3p-policy@w3.org>
Graeme wrote: > Our banner advertising company has contacted us about implementing P3P for > ou ads which is nice. We were going to implement P3P anyway so this is a > nice way to kill 2 birds with 1 stone. > > However, our ad company wants us to send them the PRF, CP and full P3P > policy which I find a bit odd. Since the ad company is going to have to > send the CP in the headers anyway, is it feasible for them to point to the > PRF on our servers so we can host both that and the full policy document > ourselves? I haven't read to much about 'cross-domain' P3P stuff. It is probably feasible to have them point to the PRF on your servers, however, you might want to have a special PRF just for this purpose (seperate from the PRF for your own servers). The reason for this is that the <INCLUDE> elements in the PRF indicate the URIs to which a particular policy applies. These are relative URIs interpreted relative to the DNS host that referenced the PRF. So, let's say that a request is made for http://i7ads.adplace.com/ad3.gif and a P3P header is served indicating that the PRF is at http://i7.com.au/w3c/p3p.xml Let's say that you have one P3P policy for your entire site, so the PRF contains the statement <INCLUDE>/*</INCLUDE>. Then when ad3.gif is fetched, fetching the PRF will apply your policy to everything on i7ads.adplace.com. If in fact everything on that server belongs to you, that might not be a problem (and it sounds like in your case that is probably true). But if your ad company doesn't have a dedicated host for you, and instead your ad was say at http://ads.adplace.com/i7/ad3.gif, then you would not want your policy applied to everything on that host. Instead you would probably want something like <INCLUDE>/i7/*</INCLUDE> Also, note that another option would be for the PRF to live on the ad company's server and the policy file to live on your server. > Also, in that case would it also be feasible to then place a <HINT> tag in > our PRF to point back to the ad company's PRF which indicates our privacy > policy applies to their ads. Does IE6 know about and follow these hints? You can use the HINT mechanism, but not to point to a PRF on a different host than the resource to which the policy applies. Also, this mechanism has not been implemented in the current release of IE6 (which came out before we finalized the HINT mechanism). > So to summarise... > Us: i7.com.au > Ads: i7ads.adplace.com (name changed for some sort of protection) > > > i7ads.adplace.com sends header > policyref="http://i7.com.au/w3c/p3p.xml", CP="XX XX XX XX XX" > > i7.com.au PRF contains > <HINT domain="i7ads.adplace.com" path="/w3c/p3p.xml"> Only if the p3p.xml file lives on 17ads.adplace.com > Have I got this right? Can anyone give me a hint as to what the PRF for > i7ads.adplace.com might contain in order to say that their ads use our > privacy policy? Just put the URI of your privacy policy in the about field. > This is an expanded version of Scenario 3 in Sept 2001 P3P draft. Since > it's a commercial ad hosting company I suspect that there is actually more > to this since the data collected is used for purposes other than serving > ads and therefore the ad company must create its own P3P policy and serve > that with the ads. This is basically Scenario 7 in the draft. You have to decide one way or the other. Either your policy applies or the ad company's policy applies. You can't have both. Regards, Lorrie Cranor
Received on Tuesday, 20 November 2001 20:52:36 UTC