紧凑型瓦片_P3P和紧凑型隐私政策的重要性

紧凑型瓦片

UPDATE: Feedburner support rocks. One thing you can say about Web 2.0, it's agile. Feedburner is curently rolling out P3P based on this post. Some interesting talk happening in the comments of this post about possibly passing on/through existing policy!

更新： Feedburner支撑岩石。 关于Web 2.0，您可以说一件事，它很敏捷。 Feedburner正在根据此帖子积极推出P3P。 这篇文章的评论中发生了一些有趣的话题，关于可能传递/通过现有政策！

I noticed recently that a number of cookies from Feedburner were being blocked by my browser. In this case, I was running IE6 in Medium Security Mode, the default mode. They don't have a Compact Privacy Policy returned in their HTTP Headers:

我最近注意到，我的浏览器阻止了Feedburner的许多Cookie。 在这种情况下，我以默认模式“中级安全模式”运行IE6。 他们的HTTP标头中没有返回紧凑型隐私政策：

GET /~s/ScottHanselman?i=    http://www.hanselman.com/blog/foofooHTTP/1.1Accept: */*Referer: http://www.hanselman.com/blog/foofooAccept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (blah blah blah)Host: feeds.feedburner.comConnection: Keep-AliveCache-Control: no-cache

GET /〜s / ScottHanselman？i = http://www.hanselman.com/blog/foofooHTTP/1.1接受：* / *引荐来源：http：//www.hanselman.com/blog/foofoo接受语言：en- usAccept-Encoding：gzip，deflateUser-Agent：Mozilla / 4.0(blah blah blah)主机：feeds.feedburner.com连接：Keep-AliveCache-Control：no-cache

HTTP/1.1 200 OK
Date: Tue, 01 Aug 2006 07:02:46 GMT
Server: Apache/2.0.54 (Debian GNU/Linux) mod_fastcgi/2.4.2 mod_jk/1.2.15
Set-Cookie:
    fbsite=xxxxxxx-xxx-xxxx-xxxx-xxxx-xxx
Content-Length: 1809
Keep-Alive: timeout=1, max=99
Connection: Keep-Alive
Content-Type: application/x-javascript;charset=ISO-8859-1

HTTP / 1.1 200 OK 日期：2006年8月1日，星期二，格林尼治标准时间服务器：Apache / 2.0.54(Debian GNU / Linux)mod_fastcgi / 2.4.2 mod_jk / 1.2.15 Set-Cookie： fbsite = xxxxxxx-xxx-xxxx-xxxx-xxxx-xxx 内容长度：1809 保持活动状态：超时= 1，最大= 99 连接：保持活动内容类型：application / x-javascript; charset = ISO-8859-1

What is Platform for Privacy Preferences (P3P)?

什么是隐私首选项平台(P3P)？

The P3P standard is designed to do one job and do it well - to communicate to users, simply and automatically, a Web site's stated privacy policies, and how they compare with the user's own policy preferences. Although P3P provides a technical mechanism for helping inform users about privacy policies before they release personal information, it does not provide a mechanism for ensuring sites act according to their policies.

P3P标准旨在完成一项工作，并且做得很好-与用户进行简单，自动的通信，其中包括网站规定的隐私策略以及它们如何与用户自己的策略首选项进行比较。 尽管P3P提供了一种技术机制来帮助用户在发布个人信息之前通知用户隐私政策，但它没有提供确保站点根据其政策行事的机制。

In most cases, the first time a user visits a Web site, their browser will have to make one or two additional requests in order to locate and fetch the P3P policy. These requests may impose some minimal latency; however, the delay caused by this should usually be less than the delay from fetching a single image in a Web page. Subsequent requests to the same site will usually not incur any additional latency due to P3P, as long as the site's policy has not expired.

在大多数情况下，用户首次访问网站时，其浏览器将不得不再发出一个或两个其他请求才能找到并获取P3P策略。 这些请求可能会施加一些最小延迟。 但是，由此引起的延迟通常应小于从Web页中获取单个图像的延迟。 只要该站点的策略未过期，对同一站点的后续请求通常不会由于P3P引起任何额外的延迟。

Currently both Internet Explorer 6 and Netscape 7 implement privacy-related features based on the P3P standard.

当前，Internet Explorer 6和Netscape 7都基于P3P标准实现与隐私相关的功能。

Nine aspects of online privacy are covered by P3P. Five detail the data being tracked by the site.

P3P涵盖了在线隐私的九个方面。 五个详细说明了站点正在跟踪的数据。

• Who is collecting this data?
  谁在收集这些数据？
• Exactly what information is being collected?
  究竟收集了什么信息？
• For what purposes?
  出于什么目的？
• Which information is being shared with others?
  正在与其他人共享哪些信息？
• And who are these data recipients?
  这些数据接收者是谁？

The remaining four explain the site's internal privacy policies.

其余四个解释该网站的内部隐私政策。

• Can users make changes in how their data is used?
  用户可以更改其数据使用方式吗？
• How are disputes resolved?
  如何解决纠纷？
• What is the policy for retaining data?
  保留数据的政策是什么？
• And finally, where can the detailed policies be found in "human readable" form?
  最后，在哪里可以找到“人类可读”形式的详细政策？

P3P policies aim to answer all these questions and allow the user, and the user's browser, to make decisions about content presentation and cookie acceptance based on answers to these questions.

P3P策略旨在回答所有这些问题，并允许用户和用户的浏览器基于对这些问题的答案来做出有关内容表示和Cookie接受的决策。

Technical Details

技术细节

P3P is a way of expressing a site’s published privacy policy using HTTP Headers. This can be expressed via an XML file pointed to in an HTTP Header.

P3P是一种使用HTTP标头表达网站发布的隐私策略的方法。 这可以通过HTTP标头中指向的XML文件来表示。

Example

例

1. Client makes a GET request.

1.客户端发出GET请求。

GET /index.html HTTP/1.1
Host: catalog.example.com
Accept: */*
Accept-Language: de, en
User-Agent: WonderBrowser/5.2 (RT-11)

GET /index.html HTTP / 1.1 主持人：catalog.example.com 接受：* / * 接受语言：de，en 用户代理：WonderBrowser / 5.2(RT-11)

2. Server returns content and the P3P header pointing to the policy of the resource.

2.服务器返回内容和指向资源策略的P3P标头。

HTTP/1.1 200 OKP3P: policyref="http://catalog.example.com/P3P/PolicyReferences.xml"Content-Type: text/html
Content-Length: 7413
Server: CC-Galaxy/1.3.18

HTTP / 1.1 200 OK P3P：policyref =“ http://catalog.example.com/P3P/PolicyReferences.xml ” 内容类型：text / html 内容长度：7413 伺服器：CC-Galaxy / 1.3.18

Alternatively, and more commonly, compact policies are summarized P3P policies that provide hints to user agents to enable the user agent to make quick, synchronous decisions about applying policy. Compact policies are a performance optimization that is optional for either user agents or servers. User agents that are unable to obtain enough information from a compact policy to make a decision according to a user's preferences SHOULD fetch the full policy

替代地，更常见的是，紧凑型策略被归纳为P3P策略，这些策略为用户代理提供了提示，使用户代理能够快速，同步地决定应用策略。 精简策略是一种性能优化，对于用户代理或服务器都是可选的。 无法从紧凑型策略中获取足够信息以根据用户偏好做出决策的用户代理应获取完整策略

Example

例

1. Client makes a GET request.

1.客户端发出GET请求。

GET http://news.com.com/html/js/timediff.js HTTP/1.1
Host: news.com.com
Accept: */*
Accept-Language: en-us,es;q=0.7,he;q=0.3
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

GET http://news.com.com/html/js/timediff.js HTTP / 1.1 主持人：news.com.com 接受：* / * 接受语言：en-us，es; q = 0.7，he; q = 0.3 用户代理：Mozilla / 4.0(兼容; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

2. Server returns content and the P3P header including the compact policy.

2.服务器返回内容和包括紧凑策略的P3P标头。

HTTP/1.1 200 OKP3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"Content-Type: text/html
Content-Length: 2248

HTTP / 1.1 200 OK P3P：CP =“ CAO DSP COR CURA ADMa DEVa PSAa PSDa IVAi IVDi CONi我们的OTR IND PHY ONL UNI FIN COM NAV INT DEM STA” 内容类型：text / html 内容长度：2248

Compact policies can be created manually but the syntax is nuanced. Most developers use a commercial web-based questionnaire like http://p3pedit.com/. These compact policies can be applied directly, often without source code changes, using Web Server’s administration tool.

紧凑型策略可以手动创建，但语法有所差异。 大多数开发人员使用基于Web的商业调查表，例如http://p3pedit.com/ 。 使用Web Server的管理工具，通常无需更改源代码即可直接应用这些紧凑型策略。

How does it affect the end user?

它对最终用户有何影响？

If an end-user has set their browser, in this example IE6, to a privacy level of "High" all cookies will be blocked if the requested site doesn’t include P3P.  The user will be informed of the blocked cookie in the status bar of their browser. This is often too subtle for most users. If this site had a P3P policy available the cookie would have been allowed even though this user’s browser Privacy setting is "High."

如果最终用户将其浏览器(在此示例中为IE6)设置为“高”隐私级别，则如果请求的站点不包含P3P，则将阻止所有cookie。 用户将在其浏览器的状态栏中收到被阻止的cookie的通知。 对于大多数用户而言，这通常太微妙了。 如果该站点具有可用的P3P策略，则即使该用户的浏览器“隐私”设置为“高”，也将允许该cookie。

If your site doesn’t have a P3P policy you are virtually guaranteed calls from users unable to login. If you're running a blog with 3rd party advertising, you're likely not collecting a complete view of your users as most are blocking your cookies.

如果您的站点没有P3P策略，则实际上可以保证无法登录的用户会拨打电话。 如果您运行的是带有第三方广告的博客，则您可能无法收集完整的用户视图，因为大多数用户都在阻止您的Cookie。

It is important to point out that Privacy options are not Security options. Cookies, used correctly, are not inherently insecure as a technology. They provide a valuable function for the end user and the developer.

重要的是要指出隐私选项不是安全选项。 正确使用Cookie并不是技术上固有的不安全因素。 它们为最终用户和开发人员提供了宝贵的功能。

Note that if the user sets their privacy settings to "Block All Cookies" there is nothing that can be done on the server-side – they have chosen not to receive cookies.

请注意，如果用户将其隐私设置设置为“阻止所有Cookie”，则服务器端无法执行任何操作–他们选择不接收Cookie。

What should I do?

我该怎么办？

Use an online questionnaire like http://p3pedit.com/ to generate a P3P Policy XML file and a Compact Policy to be applied to the site.

使用在线调查表(例如http://p3pedit.com/)来生成P3P政策XML文件和要应用于该网站的紧凑政策。

Use Internet Services Manager within MMC to configure Microsoft Internet Information Services (IIS) to set custom header properties to pages, virtual directories, or entire Web sites. To enable P3P custom headers using Internet Services Manager to configure IIS. (NOTE: If you don't have access to your IIS instance or your ISP doesn't want to help you out, you can also add these HTTP Headers programmatically using an HttpModule.)

使用MMC中的Internet服务管理器来配置Microsoft Internet信息服务(IIS)，以将自定义标头属性设置为页面，虚拟目录或整个网站。 使用Internet服务管理器配置IIS以启用P3P自定义标头。 (注意：如果您无权访问IIS实例，或者您的ISP不想帮助您，也可以使用HttpModule以编程方式添加这些HTTP标头。)

1. Right-click the desired page, directory, or site, and then click Properties.2. On the HTTP Headers tab, click Add.3. In the Custom Header Name field, type P3P.4. In the Custom Header Value field, enter your Compact P3P Policy and then click OK.

1.右键单击所需的页面，目录或站点，然后单击“属性” 2。 在“ HTTP标头”选项卡上，单击“添加3.”。 在“自定义标题名称”字段中，键入P3P.4。 在“自定义标题值”字段中，输入您的Compact P3P策略，然后单击“确定”。

You can then validate your site's compliance with P3P using the W3C's online validator at http://www.w3.org/P3P/validator.html. There is a detailed deployment guide available.

然后，您可以使用W3C的在线验证器( http://www.w3.org/P3P/validator.html)来验证您的网站是否符合P3P。 提供了详细的部署指南。

翻译自: https://www.hanselman.com/blog/the-importance-of-p3p-and-a-compact-privacy-policy

紧凑型瓦片