Friday 21 August 2009

How to create P3P policy and implement P3P header

For website that require cookies, if using the web site in an Iframe, and parent website is on a different domain, then 3rd party(cross domain) cookies that do not have a compact policy will be blocked on some common browser privacy settings, e.g. IE when privacy setting is set to Medium.

This result on the web site inside the Iframe won't working properly, as session won't work if cookie is not enabled.

P3P compact policy can be applied to website as HTTP header so user agents such as IE can detect the P3P policy and decide whether or not to allow cookies from a particular site.

Please refer to http://en.wikipedia.org/wiki/P3P and http://www.w3.org/TR/P3P/ for further details on P3P definition.

If you are building a test site, you can grab some dummy P3P compact policy online(e.g. CP="CAO PSA OUR"), but if you need a proper one for your production website, generate your own one would be better :-)

There are some softwares or online generators can be used to generate P3P policy. I used the P3P Policy Editor from IBM http://www.alphaworks.ibm.com/tech/p3peditor/ to generate P3P policy.

Unzip the p3pExecutableJar and execute the p3p.jar to load up the software.

You can create a new policy from scratch or create one from one of the templates which I found is easier.

Please refer to this Knowledge Gene Create and Use P3P Policy for Website for detailed instructions.
* To view text views, select a knowde and click Attached Text icon on the right panel header.

Once the policy is created, it includes a Privacy Policy html file and the Compact Policy text, you need to deploy the Privacy Policy html to your website, and use the Compact Policy text in individual pages header.

For example, Page.Response.AddHeader("p3p","CP=\"CAO PSA OUR\""); for ASP.NET C#,
Adam Young's blog has a very good post about syntax on different languages.
Alternatively, you can set it in IIS for the whole web site. The KGene include instruction on how to set up HTTP header in IIS as well :-)

7 comments:

  1. Respected,
    I have a page aspx with an internal iframe that should receive pages called by menu of the type: ul id="menu"
    li a href="Eccaflesm1.aspx" target="iframePDF">E C C A F /a /li
    li a href="#" target="iframePDF" Quem Somos /a /li
    /ul
    The iframe is iframe id="iframePDF" style="width:748px; height:416px" runat="server"
    scrolling="yes" /iframe>.
    In the firefox and chrome it perfectly works. And in IE8 it doesn't work, the page opens in another window.
    It includes the directing HttpContext.Current.Response.AddHeader("p3p","CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");

    in the load aspx-cs and it continues not working in IE.
    I request help for that problem. Adim.

    ReplyDelete
  2. Hi Adim,

    Sorry for 'very' late reply, I haven't maintained this blog for long time.

    Have you solved the problem?

    I haven't used target to open link in Iframe so can't comment on that approach. I normally use javascript to load page in iframe which works in IE, Firefox, Chrome.

    For example, you can attach onclick event on the link and set it to point to a javascript function, e.g. onclick = "OpenPageInIframe('xxx.aspx');return false;"

    In the OpenPageInIframe javascript function, you get the Iframe based on the id, and set the url:
    function OpenPageInIframe(_pageUrl)
    {
    var iframe = document.getElementById("iframePDF");
    if(iframe != null)
    {
    iframe.src = _pageUrl;
    }
    }

    Hope this help.

    ReplyDelete
  3. Will Persona 3 Portable (P3P) come out to America anytime soon, if so when or estimated date?
    Thank-you
    Silver MLM

    ReplyDelete
  4. Hi Ridhi,

    P3P is the Platform for Privacy Preferences Project. Below is the definition from Wikipedia:
    http://en.wikipedia.org/wiki/P3P

    It's officially recommended since 2002 so you can create your P3P policy and apply it to your website.

    ReplyDelete
  5. So if the p3p is not set ie blocks the cookie or doesn't set permanently.

    I have a page from domain1.com which includes another page in domain2.com. The domain2.com page sets some cookies. The cookies are accessible inside the iframe but when I try to open another page from domain2.com the cookies are not available. This is working fine in other browsers, I tried setting p3p policy and all but still not effect.

    So I am just curious about how ie should behave without p3p policy?

    ReplyDelete
  6. good thoughts on p3p policy and implementation in stored procedure

    ReplyDelete