Welcome to WebmasterWorld Guest from

Forum Moderators: incrediBILL

Message Too Old, No Replies

P3P: What it is and what it means to you

A W3C standard that may cause you to change your web site



7:36 pm on Jun 18, 2001 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 18, 2001
votes: 0

Question: What is P3P

Answer: It is a W3C standard on how to specify privacy policies for a web site. The standard has both a human readable part to it, as well as a machine readable part. The standard can be found here: [w3.org ], with errata at [w3.org ], and other information about it at [w3.org ].

Question: Why is it important that I know anything about it?

Answer: IE6 will be supporting a feature that reads the machine readable P3P policy of a web site. Depending on the settings in the options dialog, it may disable certain features of the browser, such as the capability of setting cookies, unless there is a P3P file in place, and the file matches the user's preferences. So unless you implement a P3P policy on your web site, some users may have a bad experience visiting your site.

Question: How can I easily create P3P policies?

Answer: The P3P file specification, and requirements for locating the files are given in the references above. However, I have personally found it difficult to read. There is a deployment guide at [w3.org ] that is a somewhat easier guide. There is a free editor available for download from the IBM web site at [alphaworks.ibm.com ]. It works, although it is difficult to set up right the first time.

Question: How do I know I did it right?

Answer: There is a validator at [w3.org ], that will check out your web site and report any P3P problems.

12:58 pm on June 19, 2001 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 7, 2000
votes: 0


We build flat / static doorway domains to feed core sites that are flash, dynamic, etc and use cookies to track sales of STUFF to the customers we send them. The core sites take data and track the customers return visits for up to a year.

My question is "what, if anything, do we need to do on OUR domains"?



2:30 am on June 20, 2001 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 18, 2001
votes: 0

You need to take the following steps to make your site p3p compliant:

1. You need to create three files:

a. An HTML description of your policies, say called policy.html

b. A p3p reference file, called p3p.xml

c. p3p policy file, say called policy.xml

These files must be created using the syntax given in the p3p specification. The p3p specification is overly complex in my opinion, taking into account the most horrendously complex privacy policy that you can imagine. I strongly suggest using an editor, such as the IBM p3p editor mentioned in my first post, on the subject to help you create them.

The editor will help you construct the correct syntax and descriptions. Setting up the editor was tricky as you first had to install the java files from the Sun site. The interface is consistent but a little weird. It gets the job done, and is far easier than working through the p3p spec. I'll try to help with questions about it if anyone has them.

2. Create a directory called /w3c off the root of your domain and locate all three files in that directory.

3. Help user agents find the files. There are three ways that a web browser can use to find the the files.

a. By looking for the /w3c directory

b. By looking at the HTTP header

c. By looking at a link tag within the file

It is suggested that you help the web browser with all three techniques. The directory is already done. To do the HTTP header, you need to add a line that makes it look like this:

P3P: policyref="/w3c/p3p.xml"

Now exactly how you do that depends on your web server. In Active Server Pages, you can either configure IIS to do it in the IIS management dialogs, or you can add the following line to the top of your ASP document:
Call Response.AddHeader("P3P", "policyref=""/w3c/p3p.xml""")

Somebody else will have to help with the syntax for other servers.
The link tag should look like this:
<link rel="P3Pv1" href="/w3c/p3p.xml"></link>

and should be added to every document on your web site.

To see examples for a very simple privacy policy, see the directory www.986faq.com/w3c for the three files mentioned above (actually the text version is in policy.asp, not policy.html on this site).

6:27 am on Sept 28, 2001 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
votes: 64

When I attempted to download and install the IBM P3P editor, it would not install because it could not locate a JVM (Java Virtual Machine) in Windows ME.

Well, I solved that problem by installing Sun System's JAVA Kit. The P3P editor now found the JVM without a problem and installed, and in less that 10 minutes I created my documents (already had the "human" html page to work from.)

Here are the links I found helpful to do all this...

IBM's (free) P3P editor: [alphaworks.ibm.com...]

JVM (also free): [java.sun.com...]

W3C Information on putting together your document: [w3.org...]

If you have any problems creating the referral file (I did) just edit the example at W3C to the type and number of policies you are using, naming it p3p.xml (as mentioned above in Xoc's post.)

IE6 now finds my P3P document very fast and that little red "cookie-blocked" icon has gone away from user's status bar.


(edited by: keyplyr at 8:55 am (gmt) on Sep. 28, 2001

6:54 am on Sept 28, 2001 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 4, 2001
votes: 7

If you want to see P3P in action and are using IE6, while viewing this page, click on VIEW then Privacy Report.
7:37 am on Sept 28, 2001 (gmt 0)

Preferred Member

10+ Year Member

joined:Sept 20, 2001
votes: 0

I did a couple small sites, and found the process relatively straighforward, with the IBM editor.
3:53 pm on Nov 16, 2001 (gmt 0)

Junior Member

10+ Year Member

joined:June 11, 2001
votes: 0

Wow, well it did take me a good 4 hours to knock together a working single p3p for my site. Only stumbling block for me was getting thr HTML header info working. I finaly had to ask my Hosting service (thanks to VenturesOnline again!). My server is Linux, so I had to ask them. All it is is a simple .htaccess file and this code...

Header set P3P "policyref=\"http://www.domain.com/w3c/p3p.xml\""

Done :-)


4:25 pm on Nov 16, 2001 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 18, 2001
votes: 0

Thanks, electro (and keyplyr)! Your info helps.

I should add that you can get the same result as the .htaccess line in IIS, through the IIS Manager dialogs. Find the HTTP header tab and add it there. The main advantage there instead of the <% ASP line is that it covers every file in your web site, not just the .asp files.

continued: [webmasterworld.com...]

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members