P3P是什么

P3P(Platform for Privacy Preferences)是W3C公布的一项隐私保护推荐标准,以为用户提供隐私保护。 P3P标准的构想是:Web 站点的隐私策略应该告之访问者该站点所收集的信息类型、信息将提供给哪些人、信息将被保留多少时间及其使用信息的方式,如站点应做诸如 “本网站将监测您所访问的页面以提高站点的使用率”或“本网站将尽可能为您提供更合适的广告”等申明。访问支持P3P网站的用户有权查看站点隐私报告,然 后决定是否接受cookie 或是否使用该网站。

如何利用P3P实现跨域

在开发中,我们碰到的跨域主要还是纠结在IE,页面中的IFRAME或者FRAME或者JS跨域的时候,IE有安全策略限制页面不带cookie,但是如果我们加上P3P,就没有这策略的限制。这也是P3P来突破跨域的可行前提。

PHP实现P3P跨域

header("p3p: CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\""); header('P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"');

P3P的头部参数解释

P3P Header is present: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Compact Policy token is present. A trailing 'o' means opt-out, a trailing 'i' means opt-in. CURa Information is used to complete the activity for which it was provided. ADMa Information may be used for the technical support of the Web site and its computer system. DEVa Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market. PSAo Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals. PSDo Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals. OUR We share information with ourselves and/or entities acting as our agents or entities for whom we are acting as an agent. BUS Info is retained under a service provider's stated business practices. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site's human-readable privacy policy. UNI Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service. PUR Information actively generated by the purchase of a product or service, including information about the method of payment. INT Data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity. DEM Data about an individual's characteristics -- such as gender, age, and income. STA Mechanisms for maintaining a stateful session with a user or automatically recognizing users who have visited a particular site or accessed particular content previously -- such as HTTP cookies. PRE Data about an individual's likes and dislikes -- such as favorite color or musical tastes. COM Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system. NAV Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page. OTC Other types of data not captured by the above definitions. NOI Web Site does not collected identified data. DSP The privacy policy contains DISPUTES elements. COR Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.