Re: Number of policies that may apply from Lars Nyman on 2001-09-18 (www-p3p-policy@w3.org from September 2001)

From: Lars Nyman <larsnyman@14designs.com>
Date: Tue, 18 Sep 2001 10:37:09 -0700
To: <www-p3p-policy@w3.org>
Message-ID: <01c001c14068$8b43d720$46d6c23f@14designs.com>

Thanks for your response.

>> second question is: must a user agent go through the same mechanisms
> twice
>> (as described in section 2.2)  in order to locate the two policy
> reference
>> files?
>No. A single policy reference file can cover a URI and a cookie with
>seperate policies.

Yes, I am aware of that a single policy reference file *can* cover them
both, but what if it does not.

To illustrate, let's extend the mall.example.com example in 2.2.1.
Assume the policy reference file at the well-known location
http://mall.example.com/w3c/p3p.xml contains:
 ...
 <POLICY-REF about="general-mall-policy.xml">
  <INCLUDE>/*</INCLUDE>
  <EXCLUDE>/companies*</EXCLUDE>
  <COOKIE-INCLUDE>* * *</COOKIE-INCLUDE>
 </POLICY-REF>
 ...

And assume further, that the ShoeStoreExample company uses HTTP headers to
indicate the location of "its" policy reference file at
http://mall.example.com/companies/shoestoreexample/w3c/p3p.xml and it
contains
 ...
 <POLICY-REF about="/companies/shoestoreexample/w3c/shoestoreexample.xml">
  <INCLUDE>/companies/shoestoreexample*</INCLUDE>
  <COOKIE-INCLUDE>* * *</COOKIE-INCLUDE>
 </POLICY-REF>
 ...

And finally let's assume
http://mall.example.com/companies/shoestoreexample/default.html, when
returned by the server, sets a cookie.

When a user agent accesses the html entity
http://mall.example.com/companies/shoestoreexample/default.html it first
finds the policy reference file at the well-known location
http://mall.example.com/w3c/p3p.xml  However, due to the EXCLUDE element,
that file does not declare a policy for
/companies/shoestoreexample/default.html.  So, the user agent then uses the
value of the P3P HTTP header and fetches
/companies/shoestoreexample/w3c/p3p.xml, and finds that it declares that the
policy to be used for the URI
http://mall.example.com/companies/shoestoreexample/default.html is
shoestoreexample.xml.

Now, the user agent needs to figure out which policy to use for the cookie
that is set by
http://mall.example.com/companies/shoestoreexample/default.html

Must the user agent go through the same mechanisms all over again?
(And, thus, find that the policy to be used for the cookie set by
http://mall.example.com/companies/shoestoreexample/default.html is
general-mall-policy.xml, not shoestoreexample.xml.)

Lars

Received on Tuesday, 18 September 2001 13:37:04 UTC