- From: Henning Michael Møller Just <henning.just@datagraf.dk>
- Date: Thu, 22 May 2008 09:15:59 +0200
- To: "Lorrie Faith Cranor" <lorrie@cs.cmu.edu>
- Cc: <www-p3p-policy@w3.org>
Thank you for answering my message. I have some trouble understanding some of the details so I'm sending this followup... >> >> In case (A) there are no problems. This was the first site so I was >> happy and thought I had the situation under control :-) >> >> In case (B) the cookies were blocked in IE7 (and IE6). Not just my >> cookie but also their cookie. I didn't know about P3P before this >> but read up on it and finally figured out how to make a proper >> policy for my site. When my cookie still didn't work I figured out >> how to make a compact policy and added it to the header. Then the >> cookie worked for my site. > > That sounds about right. Sorry? Do you mean case (B) or both? >> >> In both cases the client sites has a /w3x/p3p.xml file, but they are >> 1) almost identical and 2) has syntax errors in the <COOKIE- >> INCLUDE>. There's no P3P: header in the HTTP headers and there's no >> P3P compliant <link> element, so http://www.w3.org/P3P/ >> validator.html cannot find a valid policy reference file. >> > > This is not a syntax error. The validator gives a warning, but as long > as there is a valid policy reference file at /w3c/p3p.xml, there is no > problem. What I meant was that the validator gives a syntax error, because the <COOKIE-INCLUDE> tag looks like this: "<COOKIE-INCLUDE>* * *</COOKIE-INCLUDE>". The rest was just information :-) > What is happening is your site's cookie is being treated as a third- > party cookie from the perspective of the client sites. IE7 blocks > third-party cookies that don't have P3P compact policy headers. It > doesn't matter whether the first party-site (in this case your > client's site) has P3P for determining whether the third-party cookie > gets blocked. Thank you. I *thought* that was how it worked but many different people have presented me with many different opinions on this =:-| >> In case (A) I am not providing any P3P information. No reference >> file, no compact policy. In case (B) I am now providing the >> information, but before doing that it didn't work. >> > Hard to tell from the information you have provided. Do you have an idea what kind of information that would be helpful? I unfortunately cannot disclose the URL's, but I should be able to find out whatever else is needed. >> In case (A) the iframe has src set to the https:// path for my site. >> In case (B) the iframe has src set to the http:// path for my site >> (giving the user a horrible warning about viewing secure and >> insecure items). My site then redirects to https:// > > If you use https then you must make sure your P3P policy reference > file is also available via https It is. But I'm still only providing it for my own site in case (B). >> I hope I make sense with all this - and I know it works now and I >> ought to be happy, but I want to know why it didn't work before. >> Otherwise it will just become a magic potion I'll have to apply >> every now and then :-( > > These articles may help: > http://www.oreillynet.com/pub/a/javascript/2002/10/04/p3p.html > http://www.oreillynet.com/pub/a/javascript/2002/11/19/p3p.html Yes, I forgot to write that. Both articles have been very helpful. In fact, it was through those articles and their links I even found this mailing list. I believe it was through the website for the book. Best regards Henning Michael Møller Just
Received on Thursday, 22 May 2008 07:16:57 UTC