Web DevCenter
oreilly.comSafari Books Online.Conferences.
MySQL Conference and Expo April 14-17, 2008, Santa Clara, CA

Sponsored Developer Resources

Web Columns
Adobe GoLive
Essential JavaScript

Web Topics
All Articles
Scripting Languages

Atom 1.0 Feed RSS 1.0 Feed RSS 2.0 Feed

Learning Lab

Help! IE6 Is Blocking My Cookies
Pages: 1, 2

How Do I P3P Enable My Web Site and Use Compact Policies?

P3P-enabling a site need not be difficult, time consuming, or expensive. A small site that has an existing privacy policy may be able to get P3P-enabled within a few hours. However, I know from experience that P3P enabling a site for a multi-national company that has dozens, or even hundreds, of Web servers for many different business units located around the world can be a challenge. Fortunately, the task can be accomplished incrementally, and P3P can be rolled out one server at a time, if need be.

In Web Privacy with P3P I describe the process of P3P-enabling a Web site in seven steps. Here is a summary of this process:

  1. Hopefully, your site already has a privacy policy. If not, you need to create one. This is not only essential for using P3P, but also good business practice. Chapter 5, "Overview and Options," of Web Privacy with P3P includes some tips on writing a privacy policy and links to online resources that you may find helpful.

  2. Once you have created a privacy policy, you will need to analyze the use of cookies and third-party content on your site. Privacy policies describe the kinds of data a company may collect, but they generally do not go into much detail about the ways in which cookies are used. Cookies can enable otherwise non-identifiable data to be linked to identifiable data, sometimes unintentionally. They may also enable data to be shared in unanticipated ways. It is important to analyze how cookies are used on your Web site and how they interact with other cookies and with HTML forms. It is also important to identify cookies that may be treated as third-party cookies.

  3. Next, determine whether you want to have one P3P policy for your entire site or different P3P policies for different parts of your site. If you already have multiple privacy policies for your site, then you will probably want to have multiple P3P policies as well. For example, some sites have different policies associated with different types of services they offer. Even if you have a single, comprehensive policy for your entire site, you may want to have multiple P3P policies. For example, your site's privacy policy might include a statement like "We do not collect personally identifiable information from visitors except when they fill out a form to order a product from us." You might wish to create two P3P policies -- one for use on most of your site where there are no forms, and the other for use specifically on the parts of the site where visitors fill out forms to order products.

  4. Create a P3P policy (or policies) and compact policy for your site. You can use one of the P3P policy-generator tools listed at http://www.w3.org/P3P/ to easily create a P3P policy and compact policy without having to learn XML. My personal favorite is the P3P Policy Editor from IBM, which is available as a free download. Chapter 7, "Creating P3P Policies," of Web Privacy with P3P includes step-by-step instructions for using the P3P Policy Editor.

  5. Create a policy reference file for your site. Most of the policy generator tools will help you create a policy reference file. This file lists all of the P3P policies on your site and the parts of your site to which they apply. In most circumstances, you will have just one policy reference file for your entire site.

  6. Configure your server for P3P. On most sites, this can be done by simply placing the P3P policy and policy reference files on the Web server in the proper locations. (Usually, the proper location for the policy reference files is /w3c/p3p.xml -- which is known as the "well-known location.") However, due to the way some sites are set up, they may find it advantageous to configure their servers to send a special P3P header with every HTTP response. Some sites may find it useful to add special P3P LINK tags to their HTML content. Sites with third-party cookies (and some sites with first-party cookies) will also want to configure their servers to add P3P compact policies to their HTTP set-cookie responses. Appendix B of my book provides instructions for configuring several popular Web servers to do this. This information is also available online.

  7. Test your site to make sure it is properly P3P enabled. The W3C P3P Validator can be used to test your site and report back a list of any problems it finds. Of course, this tool cannot verify that your P3P policy matches your privacy policy, or that either policy conforms with your actual practices. But it can make sure that your policy and policy reference files are syntactically correct and that you've configured everything properly. This tool can also be used to verify that your server is issuing P3P compact policies when it sets cookies. You can try the W3C P3P Validator.

Some Web developers have told me that they found P3P policies and compact policies on random Web sites and copied them onto their own sites in order to quickly P3P-enable. This is a very bad idea! P3P policies are similar to contracts. They make statements about Web site privacy policies that must be consistent with the site's human-readable privacy policy, as well as the site's actual practices. You may want to review other Web sites' P3P policies to better understand P3P, or take a look at the examples in my book, but make sure the policies you post represent your site's actual practices!

I P3P-Enabled My Site, But My Cookies are Still Being Blocked by IE6

There are several reasons why this may happen. It may take a little detective work to solve the problem, but usually it is solvable.

Most often, the problem is that the Web server is not actually issuing the P3P compact policy with the set-cookie responses. In some cases, it may be issuing the compact policy with some set-cookie responses, but not with others. You can use the W3C P3P Validator to check whether the compact policy is being issued. Fixing this problem depends on your particular server and how the cookie is being set.

Sometimes the problem is that the compact policy is not syntactically correct. This is easily checked with the W3C P3P Validator.

In other cases, the compact policy is correct, but it does not meet IE6's qualifications as a satisfactory policy. The P3P Policy Editor provides information about whether a compact policy is considered satisfactory. Some of the Web-based compact policy tools listed on the W3C Web site also provide this information. If your compact policy is not satisfactory, you may need to change your site's data practices. Generally, this involves providing a way for users to opt out of having their data used in certain ways. Sometimes cookies are blocked only when users change the IE6 default cookie settings. In this case, a user has selected more stringent criteria for cookie blocking. Again, you can change your practices to meet these criteria. However, this is not always possible. You should make sure your applications at least fail gracefully in cases where your cookies are blocked. Ideally, your applications will be able to operate (at least partially) without cookies, or they will notify the user that cookies are required and provide instructions for overriding the blocking.

I have seen a few cases where P3P-enabling a site solves the cookie-blocking problem, but the developer who is testing the site doesn't realize this, because their browser has stored old cookies that are still being blocked. If all else fails, try removing your site's cookies from your computer (or even deleting all of your cookies) and restarting your browser to see whether the new cookies are still being blocked.

My Cookies aren't being Blocked, But Users are Not Able to View an IE6 Privacy Report for My Site

Usually this occurs when a site has not been properly P3P-enabled. In order for a privacy report to display the site must be properly P3P-enabled with a full P3P policy and policy reference file. The first thing you should do is use the W3C Validator to make sure there are no syntax errors in these files and verify that they have been placed in the proper location on your Web server. If the Privacy Report is available from some pages on your site but not others, then you probably have a problem with your policy reference file. Chapter 8, "Creating and Referencing Policy Reference Files," of Web Privacy with P3P gives detailed information about policy reference files.

Producer's Note: We have recently P3P-enabled the oreilly.com and oreillynet.com sites. I encourage you to use our policy as an example when creating your own, while also heeding Lorrie's advice that your P3P privacy policy, your site's human-readable privacy policy, and your site's actual practices are all consistent (I found that to be the most difficult part of the process).

O'Reilly & Associates recently released (September 2002) Web Privacy with P3P.

Lorrie Faith Cranor is an Associate Research Professor in the School of Computer Science and in the Engineering and Public Policy Department at Carnegie Mellon University. She is director of the CMU Usable Privacy and Security Laboratory (CUPS). She came to CMU in December 2003 after seven years at AT&T Labs-Research.

Return to the Web Development DevCenter.