Re: Number of policies that may apply

>      What you've got here is two conflicting policy reference files. Each
> one declares a policy which covers all cookies on the site...this is a bad
> thing. P3P's non-ambiguity rules require that the site only declare one
> policy for a given cookie or URL.

Ah, thanks for pointing that out.  I had failed to realize that the
Significance of order (section 2.3.2.1.1) only applies to POLICY-REF
elements in the same file.

I went back to the spec and looked at 2.4.1 Non-ambiguity.  That section
also states "If a policy reference file at the well-known location declares
a non-expired policy for a given URI, this policy applies, regardless of any
conflicting policy reference files referenced through HTTP headers or HTML
link tags."  So, I guess in my particular example, even though there are two
conflicting policy reference files, the user agent should use the policy
specified by the policy reference file at the well-known location.

But, regardless, that was not my intention - the intention was to let each
store specify their own cookie policies and to do that I have to use more
carefully crafted policy reference files.

>      Now, let's assume that the two policy reference files weren't
> conflicting. Imagine that the main site sets one cookie on every single
> page under mall.example.com, and the shoe store sets a second cookie for
> its pages. Imagine further that the two policy reference files
> differentiate this correctly, perhaps by naming the cookies to include or
> exclude. In this case, the user-agent would need to consult both policy
> reference files in order to find the policy for the two cookies.

Thanks, I think this answers my original line of questions.

Lars

>
>      -- Martin
>
> Martin Presler-Marshall - Program Manager, Privacy Technology
> E-mail: mpresler@us.ibm.com     AIM: jhreingold
> Phone: (919) 254-7819 (tie-line 444-7819) Fax: (919) 254-6430 (tie-line
> 444-6430)
>
>

Received on Wednesday, 19 September 2001 15:03:36 UTC