以 Internet Explorer 为例,默认情况下,IE的隐私策略如下图所设:
请注意其中这一条:阻止保存可用来联系您的信息而没有您的明确同意的第三方Cookie。
下面我们首先来演示一下,这一条起作用的情况:
站点 b.com 有这样一个网页: http://b.com/WebApp_P3P/p3p.htm
这个页面的源代码如下:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>P3P Testtitle> head> <body> 1232sasdsa<br/> <iframe src="http://a.net/WebApp_P3P/a_setcookie.aspx" >iframe> body> html>
这个源代码中用 iframe 包含了 a.net 站点的一个页面。 这时候所谓的的第一方站点就是 b.com 站点,第三方站点就是 a.net 站点。
http://a.net/WebApp_P3P/a_setcookie.aspx 的功能很简单,就是写一个长期保存的Cookie,代码如下:
<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd"> <script runat="server"> protected void Page_Load(object sender, EventArgs e) { HttpCookie hc = new HttpCookie("ghj", string.Format("aaaa_{0}_{1}", DateTime.Now, Request.Url)); hc.Domain = ".a.net"; hc.Expires = DateTime.Now.AddDays(14); hc.Path = "/"; Response.Cookies.Add(hc); Response.Write("aaaa"); } script> <html xmlns="http://www.w3.org/1999/xhtml"> <head runat="server"> <title>p3p testtitle> head> <body> body> html> 当我们访问 http://b.com/WebApp_P3P/p3p.htm 地址时,情况如下,
注意, 中间的 (图三)提示,我们双击这个图标可以看到下面窗体
我们另外写一个页面 http://a.net/WebApp_P3p/a_getcookie.aspx 来获取Cookie, 代码如下:
<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd"> <script runat="server"> protected void Page_Load(object sender, EventArgs e) { if (Request.Cookies.AllKeys.Contains<string>("ghj")) this.Label1.Text = Request.Cookies["ghj"].Value; else this.Label1.Text = "null"; } script> <html xmlns="http://www.w3.org/1999/xhtml"> <head runat="server"> <title>P3P Demotitle> head> <body> <form id="form1" runat="server" style="height:100%"> <asp:Label ID="Label1" runat="server" Text="Label" /><br/> form> body> html>
我们首先访问 http://b.com/WebApp_P3P/p3p.htm ; 然后访问 http://a.net/WebApp_P3p/a_getcookie.aspx 这个页面,我们会发现,没有Cookie。
类似的,我们用下面几种写法,都是一样的,无法在第三方网站创建Cookie。
<script src="http://a.net/WebApp_P3P/a_setcookie.aspx" >script> <img src="http://a.net/WebApp_P3P/a_setcookie.aspx" />
上面的演示,你本机也可以进行,只需要做如下修改:
使用后面命令 notepad C:/Windows/System32/drivers/etc/hosts 打开 hosts文件,确保 hosts文件增加下面2两行:
127.0.0.1 a.net
127.0.0.1 b.com
如果解决这个问题呢?
一个非常简单的解决方案就是修改 http://a.net/WebApp_P3P/a_setcookie.aspx 文件,在其中增加下面一行代码:
Response.Headers.Add("P3P", "CP=/"CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR/"");
这行代码就是一个简单的P3P应用,那P3P又是啥呢?
P3P(Platform for Privacy Preferences)(隐私权偏好选项平台)是W3C(World Wide Web Consortium)公布的一项隐私保护推荐标准。Microsoft Internet Explorer 6 (IE6) 是第一个支持这项新隐私权标准的浏览器。 采用 P3P 之后,您可以设置浏览器自动侦测网站是否:收集个人标识信息、使用这些信息创建用户档案、或允许到访者拒绝数据收集。
具备 P3P 能力的浏览器具有一些可供您选择的默认选项。 或者您也可以通过回答问题的方式(例如您愿意分享哪些数据、愿意接受哪些类型的 Cookie 文件)自定义您的设置。 当您在 Web 浏览时,这个软件会判断您的隐私权偏好选项是否与网站的数据收集做法匹配。
具备 P3P 能力的浏览器会特别注意 Cookie。 Cookie 是留存在您计算机硬盘上的一段文本,它可以让 Web 应用程序以个体方式对您响应。 通过收集和记忆您的偏好选项信息,Web 应用程序可以根据您的需求、喜欢什么、不喜欢什么等来修改它的运作模式。 使用具备 P3P 能力的浏览器,您可以选择是否接受各种类型的 Cookie,例如阶段性(暂时性)、永久性、在指定的网域之内或之外(第三方),以及有没有特殊的 ”P3P 精简政策” (P3P compact policy) 文件。 精简 P3P 政策描述了给定 Cookie 的属性。
对于上面的只是, Internet Explorer 就体现在本文第一张图上对浏览器隐私的设置上。以及进一步的设置中,图四中,我们选中站点,摘要按钮就可以用了,点击摘要按钮可以看到下面信息:
从技术上看,P3P包括了两个组件:一个放在服务器端;另外一个放在客户端,形成一个用户代理。当用户登陆网站的时候,服务器端的组件根据网站的要求,会自动生成XML语言形式的用户个人处理策略,这就像是贴在商店橱窗外的公众告示,而客户端的组件就将这个“公众告示”提供给用户。
上面例子中隐私策略中 CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR 的意思是啥。 Fiddler可以方便的知道,在Fiddler 中我们可以看到如下信息:
Response sets a cookie:
Set-Cookie: ghj=aaaa_2009/11/27 15:55:56_http://a.net/WebApp_P3P/a_setcookie.aspx; domain=.a.net; expires=Fri, 11-Dec-2009 07:55:56 GMT; path=/
P3P Header is present:
CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Compact Policy token is present. A trailing 'o' means opt-out, a trailing 'i' means opt-in.
CURa
Information is used to complete the activity for which it was provided.
ADMa
Information may be used for the technical support of the Web site and its computer system.
DEVa
Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market.
PSAo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals.
PSDo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals.
OUR
We share information with ourselves and/or entities acting as our agents or entities for whom we are acting as an agent.
BUS
Info is retained under a service provider's stated business practices. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site's human-readable privacy policy.
UNI
Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service.
PUR
Information actively generated by the purchase of a product or service, including information about the method of payment.
INT
Data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity.
DEM
Data about an individual's characteristics -- such as gender, age, and income.
STA
Mechanisms for maintaining a stateful session with a user or automatically recognizing users who have visited a particular site or accessed particular content previously -- such as HTTP cookies.
PRE
Data about an individual's likes and dislikes -- such as favorite color or musical tastes.
COM
Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.
NAV
Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.
OTC
Other types of data not captured by the above definitions.
NOI
Web Site does not collected identified data.
DSP
The privacy policy contains DISPUTES elements.
COR
Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.
Validate at: http://www.w3.org/P3P/validator.html
Learn more at: http://www.fiddler2.com/redir/?id=p3pinfo
P3P这个Http头的写法有很多组合,自己写很痛苦,通过下面这个连接 http://www.w3.org/P3P/details.html 您可以找到一些P3P策略生成器软件包。(虽然如果在Google上搜索,您会发现更多搜索结果,但提供免费使用的好象只有IBM的P3P策略编辑器IBM's P3P Policy Editor。)
注意:
Visual Studio 自带的开发站点(ASP.NET Development Server)是不支持这个功能的,它会报错误:This operation requires IIS integrated pipeline mode.
参考资料:
用P3P解决第三方cookie存取的问题
http://www.javaeye.com/topic/94336
IBM P3P Policy Editor
http://www.alphaworks.ibm.com/tech/p3peditor
How to configure IIS to use Platform for Privacy Preferences (P3P)
http://support.microsoft.com/kb/324013/en-us
How to Deploy P3P Privacy Policies on Your Web Site
http://msdn.microsoft.com/en-us/library/ms537341(VS.85).aspx
Add a Custom HTTP Response Header (IIS 7)
http://technet.microsoft.com/en-us/library/cc753133(WS.10).aspx
私有参数选择平台——P3P(关于Cookies)
http://www.yxl.cn/Info/20060302,212041,5095.html
使用P3P
http://welcome.hp.com/country/cn/zh/privacy/p3p_popup.html
用P3P header解决iframe跨域访问cookie/session
http://blog.csdn.net/Hashxu/archive/2009/01/02/3684402.aspx
利用P3P跨域传COOKIE
http://hi.baidu.com/thinkinginlamp/blog/item/5e2a02084f1dafd163d9865f.html
使用p3p解决Iframe中cookie跨域问题
http://blog.ntsky.com/p3p-iframe-cookie.html
通过设置P3P头来实现跨域访问COOKIE
http://blog.c114.net/html/38/193738-35549.html
P3P
http://www.hudong.com/wiki/p3p
转自: http://blog.csdn.net/ghj1976/archive/2009/11/27/4889219.aspx