簡單介紹 P3P 技術

以 Internet Explorer 爲例，默認情況下，IE的隱私策略如下圖所設：

（圖一）

請注意其中這一條：阻止保存可用來聯繫您的信息而沒有您的明確同意的第三方Cookie。

下面我們首先來演示一下，這一條起作用的情況：

站點 b.com 有這樣一個網頁： http://b.com/WebApp_P3P/p3p.htm

這個頁面的源代碼如下：

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title>P3P Testtitle>
head>
<body>
1232sasdsa<br/>
<iframe src="http://a.net/WebApp_P3P/a_setcookie.aspx" >iframe>
body>
html>

這個源代碼中用 iframe 包含了 a.net 站點的一個頁面。這時候所謂的的第一方站點就是 b.com 站點，第三方站點就是 a.net 站點。

http://a.net/WebApp_P3P/a_setcookie.aspx 的功能很簡單，就是寫一個長期保存的Cookie，代碼如下：

<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd">
<script runat="server">
    protected void Page_Load(object sender, EventArgs e)
    {
        HttpCookie hc = new HttpCookie("ghj", string.Format("aaaa_{0}_{1}", DateTime.Now, Request.Url));
        hc.Domain = ".a.net";
        hc.Expires = DateTime.Now.AddDays(14);
        hc.Path = "/";
        Response.Cookies.Add(hc);
        Response.Write("aaaa");
    }
script>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title>p3p testtitle>
head>
<body>
body>
html>

當我們訪問 http://b.com/WebApp_P3P/p3p.htm 地址時，情況如下，

（圖二）

注意，中間的（圖三）提示，我們雙擊這個圖標可以看到下面窗體

（圖四）

我們另外寫一個頁面 http://a.net/WebApp_P3p/a_getcookie.aspx 來獲取Cookie，代碼如下：

<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd">
<script runat="server">
    protected void Page_Load(object sender, EventArgs e)
    {
        if (Request.Cookies.AllKeys.Contains<string>("ghj"))
            this.Label1.Text = Request.Cookies["ghj"].Value;
        else
            this.Label1.Text = "null";
    }
script>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title>P3P Demotitle>
head>
<body>
    <form id="form1" runat="server" style="height:100%">
    <asp:Label ID="Label1" runat="server" Text="Label" /><br/>
    form>
body>
html>

我們首先訪問 http://b.com/WebApp_P3P/p3p.htm ；然後訪問 http://a.net/WebApp_P3p/a_getcookie.aspx 這個頁面，我們會發現，沒有Cookie。

類似的，我們用下面幾種寫法，都是一樣的，無法在第三方網站創建Cookie。

<script src="http://a.net/WebApp_P3P/a_setcookie.aspx" >script>
<img src="http://a.net/WebApp_P3P/a_setcookie.aspx" />

上面的演示，你本機也可以進行，只需要做如下修改：

使用後面命令 notepad C:/Windows/System32/drivers/etc/hosts 打開 hosts文件，確保 hosts文件增加下面2兩行：

127.0.0.1 a.net
127.0.0.1 b.com

如果解決這個問題呢？

一個非常簡單的解決方案就是修改 http://a.net/WebApp_P3P/a_setcookie.aspx 文件，在其中增加下面一行代碼：

Response.Headers.Add("P3P", "CP=/"CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR/"");

這行代碼就是一個簡單的P3P應用，那P3P又是啥呢？

P3P（Platform for Privacy Preferences）（隱私權偏好選項平臺）是W3C(World Wide Web Consortium)公佈的一項隱私保護推薦標準。Microsoft Internet Explorer 6 (IE6) 是第一個支持這項新隱私權標準的瀏覽器。採用 P3P 之後，您可以設置瀏覽器自動偵測網站是否：收集個人標識信息、使用這些信息創建用戶檔案、或允許到訪者拒絕數據收集。

具備 P3P 能力的瀏覽器具有一些可供您選擇的默認選項。或者您也可以通過回答問題的方式（例如您願意分享哪些數據、願意接受哪些類型的 Cookie 文件）自定義您的設置。當您在 Web 瀏覽時，這個軟件會判斷您的隱私權偏好選項是否與網站的數據收集做法匹配。

具備 P3P 能力的瀏覽器會特別注意 Cookie。 Cookie 是留存在您計算機硬盤上的一段文本，它可以讓 Web 應用程序以個體方式對您響應。通過收集和記憶您的偏好選項信息，Web 應用程序可以根據您的需求、喜歡什麼、不喜歡什麼等來修改它的運作模式。使用具備 P3P 能力的瀏覽器，您可以選擇是否接受各種類型的 Cookie，例如階段性（暫時性）、永久性、在指定的網域之內或之外（第三方），以及有沒有特殊的 ”P3P 精簡政策” (P3P compact policy) 文件。精簡 P3P 政策描述了給定 Cookie 的屬性。

對於上面的只是， Internet Explorer 就體現在本文第一張圖上對瀏覽器隱私的設置上。以及進一步的設置中，圖四中，我們選中站點，摘要按鈕就可以用了，點擊摘要按鈕可以看到下面信息：

（圖五）選中站點，摘要按鈕就可以用了，點擊摘要按鈕

（圖六）隱私策略調整窗口

從技術上看，P3P包括了兩個組件：一個放在服務器端；另外一個放在客戶端，形成一個用戶代理。當用戶登陸網站的時候，服務器端的組件根據網站的要求，會自動生成XML語言形式的用戶個人處理策略，這就像是貼在商店櫥窗外的公衆告示，而客戶端的組件就將這個“公衆告示”提供給用戶。

上面例子中隱私策略中 CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR 的意思是啥。 Fiddler可以方便的知道，在Fiddler 中我們可以看到如下信息：

Response sets a cookie:
Set-Cookie: ghj=aaaa_2009/11/27 15:55:56_http://a.net/WebApp_P3P/a_setcookie.aspx; domain=.a.net; expires=Fri, 11-Dec-2009 07:55:56 GMT; path=/

P3P Header is present:
CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Compact Policy token is present. A trailing 'o' means opt-out, a trailing 'i' means opt-in.

CURa
Information is used to complete the activity for which it was provided.

ADMa
Information may be used for the technical support of the Web site and its computer system.

DEVa
Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market.

PSAo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals.

PSDo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals.

OUR
We share information with ourselves and/or entities acting as our agents or entities for whom we are acting as an agent.

BUS
Info is retained under a service provider's stated business practices. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site's human-readable privacy policy.

UNI
Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service.

PUR
Information actively generated by the purchase of a product or service, including information about the method of payment.

INT
Data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity.

DEM
Data about an individual's characteristics -- such as gender, age, and income.

STA
Mechanisms for maintaining a stateful session with a user or automatically recognizing users who have visited a particular site or accessed particular content previously -- such as HTTP cookies.

PRE
Data about an individual's likes and dislikes -- such as favorite color or musical tastes.

COM
Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.

NAV
Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.

OTC
Other types of data not captured by the above definitions.

NOI
Web Site does not collected identified data.

DSP
The privacy policy contains DISPUTES elements.

COR
Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.

Validate at: http://www.w3.org/P3P/validator.html
Learn more at: http://www.fiddler2.com/redir/?id=p3pinfo

P3P這個Http頭的寫法有很多組合，自己寫很痛苦，通過下面這個連接 http://www.w3.org/P3P/details.html 您可以找到一些P3P策略生成器軟件包。（雖然如果在Google上搜索，您會發現更多搜索結果，但提供免費使用的好象只有IBM的P3P策略編輯器IBM's P3P Policy Editor。）

注意：

Visual Studio 自帶的開發站點（ASP.NET Development Server）是不支持這個功能的，它會報錯誤：This operation requires IIS integrated pipeline mode.

參考資料：

用P3P解決第三方cookie存取的問題
http://www.javaeye.com/topic/94336

IBM P3P Policy Editor
http://www.alphaworks.ibm.com/tech/p3peditor

How to configure IIS to use Platform for Privacy Preferences (P3P)
http://support.microsoft.com/kb/324013/en-us

How to Deploy P3P Privacy Policies on Your Web Site
http://msdn.microsoft.com/en-us/library/ms537341(VS.85).aspx

Add a Custom HTTP Response Header (IIS 7)
http://technet.microsoft.com/en-us/library/cc753133(WS.10).aspx

私有參數選擇平臺——P3P（關於Cookies）
http://www.yxl.cn/Info/20060302,212041,5095.html

使用P3P
http://welcome.hp.com/country/cn/zh/privacy/p3p_popup.html

用P3P header解決iframe跨域訪問cookie/session
http://blog.csdn.net/Hashxu/archive/2009/01/02/3684402.aspx

利用P3P跨域傳COOKIE
http://hi.baidu.com/thinkinginlamp/blog/item/5e2a02084f1dafd163d9865f.html