Re: HTML File Validation - do you need it? from Simeon Willbanks on 2004-02-05 (www-p3p-policy@w3.org from February 2004)

From: Simeon Willbanks <simeon@simeons.net>
Date: Thu, 05 Feb 2004 12:49:59 -0500
To: Rigo Wenning <rigo@w3.org>
Cc: <www-p3p-policy@w3.org>
Message-ID: <BC47EC77.5702%simeon@simeons.net>

Rigo,

Thank you for the explanation.  You have been helpful.

I now am having a problem with implementation.  We have three content
servers all pointed to the same domain.  We successfully validated a p3p
policy on all three content servers, then we validated the p3p policy on the
domain itself. 

We also have an ad server in the mix.  It runs at port 8080.  We placed the
same p3p policy on this server and ran the validator.  This is the message
we received:  

HTTP headers are P3P compliant .
Warning: Multiple P3P headers.
P3P:CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT",
policyref="/w3c/p3p.xml"
P3P:CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT",
policyref="/w3c/p3p.xml"

It appears the validator is getting double headers from our web server and
ad server.  When the p3p policy is removed from the httpd.config file on the
ad server, the validator does not see a p3p policy at all.  We get this
error:

Step 2: HTTP Protocol Validation (HTTP headers )
HTTP headers have no P3P: header.

When the double headers were in place, I loaded a few pages on our site.  IE
blocked all cookies from the ad server, even though the validator said the
url to the ad server was valid.  Could that be because of the presence of 2
compact policies?  Could this be happening because of the port number?  How
could we make only one policy appear on the ad server?  My IE settings were
at, “blocks cookies that do not have a compact privacy policy."

Thanks for the help,
Simeon     

On 2/5/04 6:50 AM, "Rigo Wenning" <rigo@w3.org> wrote:

> 
> Dear Simeon, 
> 
>> Thanks to the archives on this list, my p3p compact policy and p3p.xml are
>> validating.  Thanks!  I realize you need to have both of these in working
>> order to be inline with Microsoft.
> 
> Good to hear!
> 
>> 
>> My question is this, do you need to have the "HTML File Validation" set in
>> order to have the policy work?  My understanding is that you don¹t.  The W3
>> only requires one of the three to be valid, and MS likes you to have the
>> compact policy and policy reference in place.  Am I correct?  This will also
>> save a lot of time because, we will not have change each page on our site,
>> just make the modifications in apache.
> 
> I had that issue with another implementer already. Depending on your
> web-site, it is preferred to start with the well-known-location. The
> link-tag is only there for sites like geocities that have thousands of
> users with different setups. It would be overkill for them to maintain a
> single policy reference file.
> 
> But in your case, as you already said, this is the opposite. If you see
> that P3P implementations don't support the well-known-location or the
> header-mechanism, please report that here.
> 
> Best,

Received on Thursday, 5 February 2004 13:09:50 UTC