P3P，Cookie和IE6.0：一个案例研究-CSDN博客

This topic is not dear to my heart. Nevertheless, I think it’s one of the most important issues facing Webmasters today. It’s privacy.

这个话题对我来说并不重要。 尽管如此，我认为这是当今网站管理员面临的最重要问题之一。 这是隐私。

As an Internet user, I’m reasonably concerned with privacy. Of course, I don’t want my address sold to unscrupulous spammers, but, like most, I don’t always read the privacy policies of the sites I visit.

作为互联网用户，我合理地关注隐私。当然，我不希望将我的地址出售给不道德的垃圾邮件发送者，但像大多数人一样，我并不总是阅读我访问的网站的隐私政策。

A Website’s users are its lifeblood, especially in the game of Internet marketing and online business. So, it’s vitally important that we treat the privacy requirements of our sites with the attention they demand.

网站的用户是其生命线，尤其是在互联网营销和在线业务的游戏中。因此，至关重要的是，我们要重视网站的隐私要求。

Don’t worry — I’m not going to bore you with a thesis here; I’ll just give you the quick answers. Read this article, and update your site with the techniques you learn here. Then, if you choose to find out more from the resources I’ve listed below, you’ll be better prepared than most to handle changes in the area of consumer privacy online. At the very least, you will have complied with the rules. And, for some, there will be spinoffs that actually increase your traffic. More on that later, though.

不用担心-我不会在这里给你打论文；我会给你快速的答案。阅读本文，并使用此处学习的技术更新您的网站。然后，如果您选择从我在下面列出的资源中查找更多信息，那么与大多数人相比，您会更好地准备在线处理消费者隐私方面的更改。至少，您将遵守规则。而且，对于某些人来说，会有一些衍生品实际上增加了您的访问量。不过，稍后会更多。

隐私合规性-谁在乎？ (Privacy Compliance — Who Cares?)

Microsoft, as we know, dominates the market with its Internet Explorer browser, so, generally, we all sit up and take notice of anything MS does. With the latest version (IE6.0), MS redefined the way the browser reacts to cookies, based on the new w3c (World Wide Web Consortium) standard for P3P (The Platform for Privacy Preferences Project).

众所周知，Microsoft凭借其Internet Explorer浏览器占领了市场，因此，通常来说，我们都会坐下来注意MS所做的任何事情。在最新版本(IE6.0)中，MS基于P3P(隐私首选项平台)的新w3c(万维网联盟)标准，重新定义了浏览器对Cookie的React方式。

As this article is written by a layman for other laymen and women, I’ll deliberately keep this discussion light. If you want to talk tech and get the tools I refer to along the way, visit the links at the end of the article.

由于本文是由非专业人士为其他非专业人士撰写的，因此我将特意对此进行讨论。如果您想谈论技术并获得我所使用的工具，请访问本文结尾处的链接。

Suffice to say that MS IE6.0 has redefined the browser’s security settings; it appears that our old ‘high’ security setting has now become ‘medium’, which the software is set to use as its default. It’s more than that, though. The browser of course allows the user to change these settings and, indeed, to override them, but to the hordes of users out there who are struggling with the basic concept of cookies, this represents nothing less than a new barrier to accessing online content.

可以说，MS IE6.0已经重新定义了浏览器的安全设置。看来我们以前的“高”安全性设置现已变为“中”，该软件已设置为默认设置。但是，不仅如此。当然，浏览器允许用户更改这些设置，并且确实可以覆盖它们，但是对于正在努力解决Cookie基本概念的众多用户而言，这无异于成为访问在线内容的新障碍。

Many sites — even large, highly-trafficked ones — do not appear to have privacy policies that comply with the new P3P standards. If you use IE, you can tell this when you arrive at those sites, as an ‘eyeball’ with a red ‘minus’ sign appears in the status bar of your browser. The first time a user tries to use IE6.0 to access a site that doesn’t have a compliant privacy policy, a warning dialogue appears. This is scary stuff to new users — your users. If they check the box that says ‘don’t alert me about this again’, the magic eye starts to appear instead. Though this is a downgraded alert, it’s still unsettling enough to make those who don’t know or trust the Internet feel a little more suspicious of a site’s contents — perhaps your site’s contents.

许多网站-甚至大型，人流量大的网站-似乎都没有符合新的P3P标准的隐私权政策。如果您使用的是IE，则可以在到达这些网站时告诉您，因为浏览器状态栏中会显示带有红色“减号”的“眼球”。用户首次尝试使用IE6.0访问没有遵从性隐私策略的网站时，将出现警告对话框。对于新用户(您的用户)来说，这是令人恐惧的东西。如果他们选中“不再提醒我此事”框，则开始出现魔眼。尽管这是降级的警报，但它仍然令人不安，足以使那些不了解或不信任Internet的人对站点的内容(也许是站点的内容)更加怀疑。

You can see where we’re headed with this. As marketers on the Internet, our task is to gain the trust of our customers and provide them with a pleasant and valuable experience that leads to a purchase. Hey, business is business, right? And that trust could be quickly eroded by a browser on the alert rampage — before you even know what’s happening.

您可以看到我们前进的方向。作为互联网上的营销人员，我们的任务是赢得客户的信任，并为他们提供愉快而宝贵的体验，从而促成购买。嘿，生意就是生意，对不对？浏览器在警报泛滥之前可能会Swift削弱这种信任，甚至您甚至不知道发生了什么。

How many thousands of people may have come to your site already and experienced the dreaded ‘minus eyeball’ or even a fully blown ‘batten down the hatches, this site is nasty!’ warning? Don’t worry, I’ll show you how to fix the problem in just a moment.

可能已有成千上万的人来到您的站点，并经历了可怕的“负眼球”，甚至经历了完全打击的“踩下舱门，这个站点令人讨厌”！警告？不用担心，我将在短时间内告诉您如何解决问题。

It gets worse for owners of many domains that frame URLs, forwarding their visitors to one main server. This is in fact what led me to start investigating the whole P3P issue for myself, and to pen this article on P3P quick-compliance.

对于许多构造URL并将其访问者转发到一台主服务器的域的所有者来说，情况变得更糟。实际上，这就是促使我开始亲自调查整个P3P问题的原因，并撰写了有关P3P快速合规性的文章。

P3P问题变得个性化 (The P3P Problem Gets Personal)

I recently registered the domain yousmartass.com for a new online venture with my partner Mitch Baldwin. As I already had two large host servers with enough room to swing many cats, I chose to forward the domain yousmartass.com to my already-hosted domain, free-agent-path.info.

我最近与我的合作伙伴Mitch Baldwin注册了域名yousmartass.com进行新的在线创业。由于我已经有两个大型主机服务器，并且有足够的空间来安放许多猫，因此我选择将域名yousmartass.com转发到我已经托管的域名free-agent-path.info。

I coded all the pages and created a privacy policy from an existing statement that I edited to suit my needs. Many people take this approach, even though you can get a policy made specifically for your site for free — more on that in a minute.

我对所有页面进行了编码，并根据我根据自己的需要进行编辑的现有声明创建了隐私政策。即使您可以免费获得专门针对您的网站制定的政策，也可以在许多分钟内获得采用这种方法的机会。

I decided the best and fastest way to allow access to my site was to use a cookie as the ticket for entry. Users would have a cookie placed on their machine when they entered their contact details as part of the site’s software download process. It worked on paper, so I tried it myself.

我决定允许访问我的网站的最佳和最快方法是使用Cookie作为进入门票。在网站的软件下载过程中，输入联系方式时，用户会将cookie放置在其计算机上。它可以在纸上工作，所以我自己尝试了。

The redirect from yousmartass.com to the specified folder on free-agent-path.info worked as expected. Once I’d entered my name and email address, my machine was offered a cookie, which was accepted automatically and I was granted access. So … where’s the problem?

从yousmartass.com重定向到free-agent-path.info上的指定文件夹，按预期进行。输入我的姓名和电子邮件地址后，将为我的机器提供一个cookie，该cookie被自动接受，并被授予访问权限。那么……问题出在哪里？

The problem is that I didn’t have invoked on my browser the medium setting that’s now the default standard. I found out the hard way that hundreds of visitors were being turned away when my software page didn’t see the cookie that was quite obviously never placed. It wasn’t placed on the user’s machine because the site had no machine-readable privacy policy, and the browser’s rule states that if no policy exists, no cookie will be accepted.

问题是我没有在浏览器上调用现在为默认标准的媒体设置。当我的软件页面看不到显然从未放置过的cookie时，我发现很难的办法是将数百名访问者拒之门外。它没有放置在用户的计算机上，因为该站点没有计算机可读的隐私策略，并且浏览器的规则指出，如果不存在任何策略，则将不接受任何cookie。

But this was no ordinary cookie I was trying to place. Because I’d redirected the initial URL, and the cookies were being placed by this new domain (free-agent-path.info), they were defined as third-party. Tougher laws have been defined for third party cookies, and mine certainly weren’t being accepted in the spirit in which they were offered. Death by cookies seemed the order of the day.

但这不是我要放置的普通cookie。因为我重定向了初始URL，并且cookie被这个新域(free-agent-path.info)放置，所以它们被定义为第三方。已经为第三方Cookie定义了更严格的法律，而我的精神当然并没有被接受。小甜饼的死亡似乎已成定局。

The stringent cookie standards are there to stop shady individuals and companies from learning things about you without your consent, as you surf innocently on a host site. It’s particularly supposed to protect users from third party sites that host advertisements that suck your personal info. Ever tried switching your settings so that you’re prompted each time a cookie is placed through your browser? You can do it in Tools -> Internet Options -> Privacy -> Advanced. Then go somewhere like howstuffworks.com. You can see why we need the privacy thing — at the very least, so that we aren’t constantly swatting at dialogue boxes all day!

当您无私地在宿主网站上冲浪时，严格的cookie标准可阻止可疑的个人和公司未经您的同意而了解有关您的信息。特别是应该保护用户免受那些托管会吸收您的个人信息的广告的第三方站点的侵害。您是否曾经尝试过切换设置，以便每次通过浏览器放置Cookie时都会提示您？您可以在工具-> Internet选项->隐私->高级中进行操作。然后去类似howstuffworks.com的地方。您可以看到为什么我们需要隐私这一点-至少是这样，以便我们不会整日不停地在对话框中乱跑！

I had to figure a way to get the browsers to relax on this third-party cookie issue and start accepting them, otherwise, many of my visitors would be left out in the cold. In fact, they already were! I was, at the time, receiving countless emails from people pleading to get in, some having tried more than 4 times on different occasions.

我必须想出一种方法使浏览器在第三方Cookie问题上放松并开始接受它们，否则，我的许多访问者将被冷落。实际上，它们已经是！当时，我收到了无数人恳求加入的电子邮件，其中有些人在不同场合尝试了4次以上。

您自己的P3P隐私政策 (Your Own P3P Privacy Policy)

Let’s go back a few steps. What exactly is a privacy policy? It’s four things, really.

让我们返回几步。隐私政策到底是什么？真的，这是四件事。

First, it’s a human-readable statement of the information you collect about visitors to your site, and what you intend to do with that information. This should be plainly visible to the user, usually linked to the homepage (typically in the footer) and other key pages of the site.

首先，它是您所收集的有关网站访问者的信息以及您打算如何使用这些信息的易于理解的陈述。这应该对用户清晰可见，通常链接到主页(通常在页脚中)和站点的其他关键页面。

The second aspect of having a P3P-compliant privacy policy involves hosting a full policy in XML (eXtensible Markup Language), which defines the particulars of your business address, contact details, the location of your human-readable privacy policy, actions to be taken if a user feels their privacy has been breached, and the types of, and options pertaining to, user data that’s collected.

拥有符合P3P的隐私策略的第二个方面涉及以XML(可扩展标记语言)托管完整的策略，该策略定义您的公司地址，联系方式，人类可读的隐私策略的位置以及将要采取的措施的详细信息如果用户感到其隐私受到侵犯，以及所收集的用户数据的类型和相关选项，

The third consideration is the policy reference file. The reference file points to the location of the policy file on your server. Both files are usually located in what is called the well-known location — a folder you must call w3c, and locate on the top level of your site. Not above the top level, like the cgi-bin, but at the first level inside your html documents folder.

第三个考虑因素是策略参考文件。参考文件指向策略文件在服务器上的位置。这两个文件通常都位于众所周知的位置，即您必须调用w3c的文件夹，并位于站点的顶层。不在cgi-bin之类的顶层之上，而是在html document文件夹中的第一层之上。

Both of these files are XML documents, but you needn’t rush out and buy the Idiot’s Guide just yet — help is at hand. IBM has come to the party with a Java application that runs on your own machine and is supposed to walk you though everything required for you to achieve compliance. Enter your intentions in one end, and out come the goods at the other! All for free.

这两个文件都是XML文档，但是您不必着急购买《白痴指南》，它就在您身边。 IBM参加了在您自己的计算机上运行的Java应用程序的聚会，应该为您提供实现合规性所需的一切。一方面输入您的意图，另一方面输入商品！全部免费。

In reality, though, it’s not quite as simple as it sounds. The procedure involves dragging instances of information collection from your site (defined in the left window) across to the right window, which is your active policy. As the instances hit the right window, they’re incorporated into the profile. And, as the profile grows, it also generates a written privacy policy.

但是实际上，它并不像听起来那样简单。该过程涉及将信息收集实例从您的站点(在左侧窗口中定义)拖到右侧窗口，这是您的活动策略。当实例到达右侧窗口时，它们将被合并到配置文件中。并且，随着配置文件的增长，它还会生成书面的隐私权政策。

However, the site owner must go into a menu and click through a number of tabs, inputting specific company and/or individual information in like business address, phone number, email contact, etc. There are a small number of other steps we must take before the process is complete. The combination of the error page’s messages, and some general menu snooping, leads us to create the policy reference file without too much work.

但是，网站所有者必须进入菜单并单击多个选项卡，以公司地址，电话号码，电子邮件联系人等形式输入特定的公司和/或个人信息。我们还必须采取一些其他步骤在过程完成之前。错误页面的消息和一些常规菜单侦听的结合使我们无需太多工作即可创建策略参考文件。

The finished files can be saved to their respective folders on your server, as described earlier (privacy_policy.xml and ref_policy.xml are both placed in the w3c folder at www.your_domain/w3c/).

可以将完成的文件保存到服务器上各自的文件夹中，如前所述(privacy_policy.xml和ref_policy.xml都位于www.your_domain / w3c /的w3c文件夹中)。

Fourth, and of particular interest to sites that use cookies, is the compact policy, or CP. This is a machine-readable header code that uses an abbreviated form of the full policy. It’s actually derived from the full policy when you use the IBM policy generator.

第四，使用cookie的站点特别感兴趣的是紧凑型策略或CP。这是使用完整策略的缩写形式的机器可读标头代码。当您使用IBM策略生成器时，它实际上是从完整策略派生的。

But — and here’s the great news — the only thing you’ll require immediately to guarantee that your visitors will not block your cookies is the compact policy. Let’s see how it works.

但是，这是一个好消息，这是紧凑的政策，您唯一需要立即保证您的访问者不会阻止您的Cookie的东西。让我们看看它是如何工作的。

契约政策 (The Compact Policy)

Headers are pieces of information sent to the browser before the main page is evaluated. When a cookie is sent, it must be accompanied by a compact privacy policy so the user’s browser can look at both, see if they marry up, and decide what to do. Get this bit right, and all but the toughest setting on your user’s browser won’t have a problem with your cookies.

标头是在评估主页之前发送到浏览器的信息。发送Cookie时，必须附带紧凑的隐私权政策，以便用户的浏览器可以同时查看两者，查看它们是否结婚并决定要做什么。做到这一点正确，除了用户浏览器上最困难的设置之外，cookie都不会出现问题。

Now, we don’t need to go through the details of this, because the good folks at the Privacy Council offer an automated service that creates compact policies. They’ll even email the result to you. Just register with them, select from a series of multiple choice questions about what your site does and doesn’t do, and you’re in business again.

现在，我们无需详细说明这一点，因为隐私委员会的好伙伴提供了创建紧凑策略的自动化服务。他们甚至会通过电子邮件将结果发送给您。只需向他们注册，从一系列关于您的网站做什么和不做什么的多选问题中进行选择，您就可以再次营业。

Now, you need to know how to implement the compact policy into your pages. Again, I’ll illustrate this point with the code I used for my own site.

现在，您需要知道如何在页面中实施压缩策略。再次，我将用我自己的网站所使用的代码来说明这一点。

In pure HTML pages, insert this code into the head section of your page:

在纯HTML页面中，将此代码插入页面的头部：

<meta http-equiv="P3P" content='CP="IDC DSP COR CURa ADMa

OUR IND PHY ONL COM STA"'>

In PHP pages, insert this as the first thing on the page after the setting of the cookie:

在PHP页面中，将其作为cookie设置之后在页面上的第一件事插入：

<?php header('P3P: CP="IDC DSP COR CURa ADMa OUR IND

PHY ONL COM STA"'); ?>

For other server-side languages, see the link below titled "Header Creation".

对于其他服务器端语言，请参见下面标题为“标头创建”的链接。

Of course, don’t just use the code above as-is. You need to go to the URL given below at the Privacy Council, and generate your own. Don’t worry, it’s straightforward and non-technical.

当然，不要只是按原样使用上面的代码。您需要转到隐私委员会下面给出的URL，并生成自己的URL。不用担心，这是直接且非技术性的。

It’s important to understand that only pages that place cookies need to have a CP. Form pages don’t set cookies, so they don’t need a policy. Remember that if you use a piece of JavaScript code to set a cookie for popup control, the page that calls the popup and does the cookie-setting will require a compact policy.

重要的是要理解只有放置cookie的页面才需要具有CP。表单页面没有设置cookie，因此它们不需要策略。请记住，如果您使用一段JavaScript代码来设置弹出窗口控件的cookie，则调用弹出窗口并进行cookie设置的页面将需要一个紧凑的策略。

Some sites may need more than one policy. Why? Well, a policy describes what information is collected (and why) in a specific URL location. That can be the whole site, or specific folders on your site. While most of us will probably generate one policy for the whole site, it is possible to point to a different policy location in each header, on each page. You would do this if, for example, one section of your site allowed users to subscribe to your newsletter by providing their email addresses and first names, while the other offers a members’ area that uses cookies to customize the browser’s view. Perhaps you also provide a shopping cart that stores user status and personal information for use in processing the order.

一些站点可能需要多个策略。为什么？好的，策略描述了在特定URL位置中收集了哪些信息(以及原因)。可以是整个网站，也可以是网站上的特定文件夹。尽管我们大多数人可能会为整个站点生成一个策略，但有可能在每个页面的每个标题中指向不同的策略位置。例如，如果您网站的某一部分允许用户通过提供其电子邮件地址和名字来订阅您的时事通讯，而另一部分提供了一个使用Cookie来定制浏览器视图的成员区域，则可以这样做。也许您还提供了一个购物车，用于存储用户状态和个人信息以用于处理订单。

If you need to point to another policy that has been generated to describe a specific use of cookies like this, you’ll want to put one of the following headers on the page(s) that pass cookies to the visiting browser:

如果您需要指向生成的另一种描述此类Cookie特定用法的策略，则需要在将Cookie传递到访问浏览器的页面上放置以下标头之一：

Firstly, using PHP:

首先，使用PHP：

<?php Header('P3P: href="/your_2nd_policy/p3p.xml"

CP="your compact policy"'); ?>

Now, using HTML:

现在，使用HTML：

<meta http-equiv="P3P" href="/your_2nd_policy/p3p.xml"

content='CP="your compact policy"'>

If, following these guidelines, you’ve built your own individual files, you can test them with the policy validator provided courtesy of the W3C at https://www.w3.org/P3P/validator.html

如果按照这些指南构建了自己的单个文件，则可以使用W3C提供的策略验证器对它们进行测试，网址为https://www.w3.org/P3P/validator.html。

谁负责？ (Who’s Responsible?)

Lastly, before you can call yourself an expert, you must be aware that all this P3P stuff still doesn’t specify any sort of evaluation of compliance. A site may well be lying through its teeth about what it does with user data, but, if the policies are in order, the browser is happy. The policy must list a course of action for the user to take in the dispute resolution process, and in most cases, that can be the Direct Marketing Association.

最后，在您可以自称专家之前，您必须意识到，所有这些P3P内容仍未指定任何合规性评估。网站很可能会不屑一顾地处理用户数据，但是，如果政策得当，浏览器很高兴。该政策必须列出用户在争议解决过程中要采取的行动方针，并且在大多数情况下，可以是直销协会。

Well, this was the soft introduction to the world of privacy compliance through P3P as defined by the W3C. If you have learned anything it should be that privacy issues can affect your site’s operation and most certainly your user’s attitude towards you and your business. Armed with this new knowledge, you will, I hope, turn away fewer visitors and make more sales. See the links below for more information.

嗯，这是W3C定义的通过P3P向隐私合规性领域的介绍。如果您学到了什么，那应该是隐私问题会影响您网站的运行，并且最有可能会影响用户对您和您的业务的态度。希望有了这些新知识，您将减少访客数量并带来更多销售。有关更多信息，请参见下面的链接。

Tools

工具类

AlphaWorks IBM Full Policy Generator

AlphaWorks IBM完整策略生成器

Privacy Council Compact Policy Generator

隐私委员会契约政策生成器

Resources

资源资源

How To Make Your Site Compliant In Six Easy Stepshttps://www.w3.org/P3P/usep3p.html

如何通过六个简单步骤使您的网站合规https://www.w3.org/P3P/usep3p.html

A Simple Technical Overviewhttp://www.phpmytools.org/pmt2003/topics.php/article_id/23/pos/0