|P3P: What it is and what it means to you|
A W3C standard that may cause you to change your web site
Question: What is P3P
Answer: It is a W3C standard on how to specify privacy policies for a web site. The standard has both a human readable part to it, as well as a machine readable part. The standard can be found here: [w3.org ], with errata at [w3.org ], and other information about it at [w3.org ].
Question: Why is it important that I know anything about it?
Answer: IE6 will be supporting a feature that reads the machine readable P3P policy of a web site. Depending on the settings in the options dialog, it may disable certain features of the browser, such as the capability of setting cookies, unless there is a P3P file in place, and the file matches the user's preferences. So unless you implement a P3P policy on your web site, some users may have a bad experience visiting your site.
Question: How can I easily create P3P policies?
Answer: The P3P file specification, and requirements for locating the files are given in the references above. However, I have personally found it difficult to read. There is a deployment guide at [w3.org ] that is a somewhat easier guide. There is a free editor available for download from the IBM web site at [alphaworks.ibm.com ]. It works, although it is difficult to set up right the first time.
Question: How do I know I did it right?
Answer: There is a validator at [w3.org ], that will check out your web site and report any P3P problems.
My question is "what, if anything, do we need to do on OUR domains"?
You need to take the following steps to make your site p3p compliant:
1. You need to create three files:
a. An HTML description of your policies, say called policy.html
b. A p3p reference file, called p3p.xml
c. p3p policy file, say called policy.xml
The editor will help you construct the correct syntax and descriptions. Setting up the editor was tricky as you first had to install the java files from the Sun site. The interface is consistent but a little weird. It gets the job done, and is far easier than working through the p3p spec. I'll try to help with questions about it if anyone has them.
2. Create a directory called /w3c off the root of your domain and locate all three files in that directory.
3. Help user agents find the files. There are three ways that a web browser can use to find the the files.
a. By looking for the /w3c directory
b. By looking at the HTTP header
c. By looking at a link tag within the file
It is suggested that you help the web browser with all three techniques. The directory is already done. To do the HTTP header, you need to add a line that makes it look like this:
Now exactly how you do that depends on your web server. In Active Server Pages, you can either configure IIS to do it in the IIS management dialogs, or you can add the following line to the top of your ASP document:
Call Response.AddHeader("P3P", "policyref=""/w3c/p3p.xml""")
Somebody else will have to help with the syntax for other servers.
The link tag should look like this:
<link rel="P3Pv1" href="/w3c/p3p.xml"></link>
and should be added to every document on your web site.
When I attempted to download and install the IBM P3P editor, it would not install because it could not locate a JVM (Java Virtual Machine) in Windows ME.
Well, I solved that problem by installing Sun System's JAVA Kit. The P3P editor now found the JVM without a problem and installed, and in less that 10 minutes I created my documents (already had the "human" html page to work from.)
Here are the links I found helpful to do all this...
IBM's (free) P3P editor: [alphaworks.ibm.com...]
JVM (also free): [java.sun.com...]
W3C Information on putting together your document: [w3.org...]
If you have any problems creating the referral file (I did) just edit the example at W3C to the type and number of policies you are using, naming it p3p.xml (as mentioned above in Xoc's post.)
IE6 now finds my P3P document very fast and that little red "cookie-blocked" icon has gone away from user's status bar.
(edited by: keyplyr at 8:55 am (gmt) on Sep. 28, 2001)
If you want to see P3P in action and are using IE6, while viewing this page, click on VIEW then Privacy Report.
I did a couple small sites, and found the process relatively straighforward, with the IBM editor.
Wow, well it did take me a good 4 hours to knock together a working single p3p for my site. Only stumbling block for me was getting thr HTML header info working. I finaly had to ask my Hosting service (thanks to VenturesOnline again!). My server is Linux, so I had to ask them. All it is is a simple .htaccess file and this code...
Header set P3P "policyref=\"http://www.domain.com/w3c/p3p.xml\""
Thanks, electro (and keyplyr)! Your info helps.
I should add that you can get the same result as the .htaccess line in IIS, through the IIS Manager dialogs. Find the HTTP header tab and add it there. The main advantage there instead of the <% ASP line is that it covers every file in your web site, not just the .asp files.