P3P 简述

发表于2016年7月1日kaisin

IE中   IFRAME,JSONP 跨域  COOKIE

P3P: CP=CAO PSA OUR

 

参考表:

浏览器 默认允许第三方Cookie 是否支持P3P 禁止第三方Cookie后,配置P3P简明策略头的效果 补充
IE6

HTTP可读写Cookie
JS可读Cookie
首次读到P3P头,JS无写Cookie权限.第二次才OK

(第二次.直接Cache.也不行.除非第一次非Cache并读到p3p头.后面我会提到解决方案.)

 避免JS的写操作
IE7-IE9
 HTTP、JS,可随意读写. -
FireFox HTTP、JS都不可读写 -
Chrome 部分支持,趋势-否 趋势为HTTP、JS可读不可写. -
Safari HTTP、JS可读不可写 借助Post提交表单,实现写操作.
Opera
JS可读写
HTTP可读不可写.		 -


相关资源:   http://www.w3.org/2002/04/P3Pv1-header.html
 
Compact Policies(简洁策略)
 
简洁策略,本质上就是P3P策略的一个摘要. 他们的作用是,使用户代理,可以快速敏捷的获取到站点的P3P策略信息,所以是对性能有益的.
为了深入的解释简洁策略,按照 P3P1.0[4]规范,我们列出下面这些限制性的语法:

compact-policy-field         =   `CP="` compact-policy `"`

compact-policy                = compact-token *(" " compact-token)

compact-token                = compact-access           |
                                        compact-disputes         |
                                        compact-remedies         |
                                        compact-non-identifiable |
                                        compact-purpose          |
                                        compact-recipient        |
                                        compact-retention        |
                                        compact-categories       |
                                        compact-test

compact-access           = "NOI" | "ALL" | "CAO" | "IDC" | "OTI" | "NON"

compact-disputes            = "DSP"

compact-remedies          = "COR" | "MON" | "LAW"

compact-non-identifiable = "NID"

compact-purpose           = "CUR"        | "ADM" [creq] | "DEV" [creq] | "TAI" [creq] |
                                       "PSA" [creq] | "PSD" [creq] | "IVA" [creq] | "IVD" [creq] |
                                       "CON" [creq] | "HIS" [creq] | "TEL" [creq] | "OTP" [creq]

creq                              = "a" | "i" | "o"

compact-recipient       = "OUR" | "DEL" [creq] | "SAM" [creq] | "UNR" [creq] |
                                        "PUB" [creq] | "OTR" [creq]

compact-retention          = "NOR" | "STP" | "LEG" | "BUS" | "IND"

compact-category           = "PHY" | "ONL" | "UNI" | "PUR" | "FIN" | "COM" |

                                  "NAV" | "INT" | "DEM" | "CNT" | "STA" | "POL" |

                                        "HEA" | "PRE" | "LOC" | "GOV" | "OTC"

compact-test                  = "TST"
 

常用的简洁策略的 P3P头为 -   P3P : CP=CAO PSA OUR (其实, CP=. 就可以了.或者其他任何值都是可以的)分别对应了 :

compact-access(访问)    :  CAO -  contact-and-other
Identified Contact Information and Other Identified Data: access is given to identified online and physical contact information as well as to certain other identified data.
直译 : 被识别的联系信息,和其他被识别的数据: 网上,或现实中的联系信息,和某些被识别的数据,允许被访问.
我的理解: 应该是, 允许被确认的信息和数据的访问. (允许第三方cookie的读写)

compact-purpose(目的)  :  PSA -  pseudo-analysis .身份验证、分析
 

compact-recipient(受体) :  OUR - ours
Ourselves and/or entities acting as our agents or entities for whom we are acting as an agent: An agent in this instance is defined as a third party that processes data only on behalf of the service provider for the completion of the stated purposes. (e.g., the service provider and its printing bureau which prints address labels and does nothing further with the information
直译 :  我们自己,以及(或)实体作为我们自己的代理,或被我们所代理方的实体:这种情况下的代理,被定义为,相关进程数据,代表服务提供者,用来完成其所设定服务的,第三方.(就好像,一个印刷局作为提供打印服务的,服务提供者,其只负责打印标签神马的,但是却不会进一步,对相关的信息,做任何事情 )

 

备注:

. IE P3P简洁策略,可以最简写成: P3P:CP=. 

. IE6的实现有bug.需要注意.首次访问第三方页面,JS无法写入第三方Cookie的bug.建议尽量避免JS对Cookie的写操作.

. 对于第三方来说,建议避免使用JS操作Cookie,最多用来读,而不是写. 除非是和登录验证有关,否则建议使用Storage代替Cookie的使用.

 

参考:

1. http://p3ptoolbox.org/tools/ 
2. http://www.w3.org/P3P/implementations/
3. http://www.w3.org/P3P/
4. http://www.w3.org/TR/2002/REC-P3P-20020416/
5. https://www.w3.org/2002/04/P3Pv1-header.html

6.Validate at: http://www.w3.org/P3P/validator.html
7.Learn more at: http://www.fiddler2.com/redir/?id=p3pinfo
8. http://www.w3.org/P3P/details.html

此条目发表在article分类目录。将固定链接加入收藏夹。