Policy Generation, Compact Policies, the Safe Zone - Part 3 of Chapter 5 from Web Privacy with P3P (3/4)
Web Privacy with P3P, Chapter 5: Overview and Options
P3P-enabled web sites have the option of providing short summaries of their policies with respect to cookies in P3P HTTP response headers that accompany
Set-Cookie headers. These compact policies are designed as an optimization to allow for cookie processing to proceed before a full P3P policy is evaluated. Sites can use compact policies only if they set cookies and if the cookie-related statements in their full P3P policies do not include mandatory extensions (discussed in Chapter 6). The details of writing compact policies are discussed in Chapter 7. The P3P HTTP header is discussed in Chapter 8.
TIP: While compact policies are entirely optional for P3P-enabled web sites, IE6 relies heavily on them. This browser makes cookie-blocking decisions based solely on compact policies. By default, IE6 blocks "third-party" cookies that do not have compact policies.
A site that uses compact policies has a policy reference file and a full P3P policy, just like any other P3P-enabled web site. In addition, the site configures its web server to include a P3P header with all of its responses that contain
Set-Cookie requests (or with every response). Here is an example of what such a server response might look like:
HTTP/1.1 200 OK P3P: policyref="http://cookie.example.com/w3c/p3p.xml", CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI" Content-Type: text/html Content-Length: 8934 Server: Netscape-Enterprise/3.6 SP3 Set-Cookie: lubid=010033443C463628000C0000; path=/; domain=.example.com; expires=Thu, 31-Dec-2003 23:59:59 GMT Set-Cookie: pref=no-frame; path=/; expires=Thu, 31-Dec-2003 23:59:59 GMT
Note that the compact policy applies to all cookies set in this HTTP response. In this case, it applies to two cookies. If the HTTP response includes scripts that set cookies, the compact policy applies to these cookies as well.
Compact policies must be sent as part of a P3P HTTP header. To do this, you must be able to get your web server to issue this header. Depending on what server you use, you can do this by configuring files on your server (Appendix B provides instructions for several popular web servers) or by inserting an HTML
META element into your HTML content with the
http-equiv attribute set to
P3P and the
content attribute set to the P3P header you want issued. Here is an example of such a
<META http-equiv='P3P' content='policyref="http://cookie.example.com/w3c/p3p.xml", CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI"'>
Some servers look for
http-equiv and generate headers accordingly. However, if your server does not do this, you won't get a P3P header. User agents are not required to support
http-equiv, and most currently ignore it. Make sure you test out this feature on your server.
If you decide to use compact policies, you need to be careful about what expiration date you place on your cookies, as the compact policy applies for the lifetime of the cookie. Many web sites are in the habit of placing very long expiration dates on their cookies--for example, 30 years--so that they essentially never expire. However, these sites may not be prepared to say that their privacy policies won't change for 30 years. If a site sets a cookie with a compact policy and decides to change its policy before the cookie expires, it must reset the cookie when the user returns to the web site by issuing a new
Set-Cookie header. Keeping track of which cookies have been reset and when can be quite a hassle.
You should also be aware that compact policies provide a simplified representation of a site's policy that may cause the site's data practices to appear more privacy-invasive than they actually are. For example, imagine a site that has online contact information and clickstream information linked to cookies. Say the site uses the online contact information internally but shares clickstream information with other parties. A compact policy for this site would simply state that the site collects online contact and clickstream information and shares data with other parties. The compact policy is not granular enough to indicate that only the clickstream information is shared. If you decide to use compact policies on your site, make sure you examine them carefully and are comfortable with the statement they make.
Created: January 6, 2003
Revised: January 6, 2003