I recently had a very frustrating experience with a Web application I was working on. A page in the application was designed to be embedded into our customers' websites within an iframe, but in Internet Explorer it wasn't working right; specifically, things that were happening within popup windows it was creating (via jQuery) were acting completely disconnected from the underlying page. After some digging, it was clear the system was starting a new session for the pages called in the popups. It turns out this is a well-documented but not well-known quirk of Internet Explorer.
I have done this in the past with a free tool from IBM Alphaworks. IBM has taken the tool offline, though a quick search will dig up other copies of it. I am not a huge fan of those, since I can't find one from what I consider a reputable source, and I don't like malware on my computer. Also, while it is free and it works, it is a royal hassle to use. I chose to use P3P Wiz, which costs $29.95 for the first year and $19.95 in subsequent years. You only pay one time to make a policy; the subscription allows you to edit your existing policies. I like that P3P Wiz is wizard driven and contains plenty of boilerplate text to keep you from doing much typing. The time I saved more than justified spending $29.95 on P3P Wiz.
"CURa ADMa DEVa TAIi PSAi PSDi IVAi IVDi CONi HISa TELi OUR IND DSP CAO COR".
Once you write your policy, P3P Wiz will give you a number of files:
- An HTML file with a human-readable policy. IE uses this when you look at the details for a site to read the specifics.
- A policies.xml file with the lengthy, full-format of the policies.
- A headers.txt file that tells you how to implement the compact policy in various browsers.
- A p3p.xml file that points IE to the policies and the privacy files.
By default, you should upload these files to a w3c directory on your server and then add an HTTML header (like: P3P: policyref="http://www.example.com/w3c/ p3p.xml", CP="CURa ADMa DEVa CONo HISa OUR IND DSP ALL COR") or a link tag (such as: <link rel="P3Pv1" href=" /w3c/ p3p.xml">) to your code to point to the full-format policy.
From what I can tell, IE does not compare the compact policy to the full-format policy, and the full-format policy is not needed. Although if you're going to spend the time and effort to put together an enforceable, accurate P3P policy, it's not more difficult to make a full-format policy since you'll be using a tool like IBM's or P3P Wiz anyway.
To give you an idea of the different ways to add the header, here are the code samples from my headers.txt file from P3P Wiz, made to be more generic:
header("P3P: policyref=\"http://www.example.com/w3c/p3p.xml\", CP=\"CURa ADMa DEVa CONo HISa OUR IND DSP ALL COR\"");
Response.AddHeader("P3P","CP=\"CURa ADMa DEVa CONo HISa OUR IND DSP ALL COR\"");
PERL CODE (Must be first print statement)
print "P3P: policyref=\"http://www.example.com/w3c/p3p.xml\", CP=\"CURa ADMa DEVa CONo HISa OUR IND DSP ALL COR\"\n\n";
Response.setHeader("P3P","CP='CURa ADMa DEVa CONo HISa OUR IND DSP ALL COR'")
<cfheader name="P3P" value="CP='CURa ADMa DEVa CONo HISa OUR IND DSP ALL COR'" />
HTACCESS CODE (mod_headers required)
Header append P3P 'CP="CURa ADMa DEVa CONo HISa OUR IND DSP ALL COR", policyref="/w3c/p3p.xml"'
The code end of this project is easy. The difficult part is thinking about all of the things your application does with private data and ensuring that the P3P policy accurately describes your data use.
J.JaKeep your engineering skills up to date by signing up for TechRepublic's free Software Engineer newsletter, delivered each Tuesday.
Justin James is the Lead Architect for Conigent.