Web DevCenter
oreilly.comSafari Books Online.Conferences.
MySQL Conference and Expo April 14-17, 2008, Santa Clara, CA

Sponsored Developer Resources

Web Columns
Adobe GoLive
Essential JavaScript

Web Topics
All Articles
Scripting Languages

Atom 1.0 Feed RSS 1.0 Feed RSS 2.0 Feed

Learning Lab

Web Privacy with P3P

A Webmaster's Guide to Troubleshooting P3P

by Lorrie Faith Cranor, author of Web Privacy with P3P

The www-p3p-policy mailing list gets a steady stream of messages from frustrated Webmasters who are trying to P3P-enable their Web sites and have run into difficulties. In some cases these Webmasters do not understand fundamental concepts about how P3P works. However, in many cases they actually have come pretty close to successfully P3P- enabling their sites, but something is still not quite right. In this article I review some troubleshooting strategies and list some of the frequent mistakes I have seen people make. For more detail about the entire process of P3P-enabling a Web site as well as examples of how to write policies that cover a variety of common Web site scenarios, check out my book, Web Privacy with P3P.

Test, Test, Test

The first thing you should do after P3P-enabling a Web site is to test it to make sure your P3P implementation is correct and that it works. This should be done using the W3C's P3P Validator and using at least one P3P user agent.

You can use the P3P Validator to check to make sure your P3P files are syntactically correct and placed in the appropriate location on your Web server. If the validator reports any errors, read them carefully, and work through them one at a time until you get a successful validation report. Unfortunately, bugs are still being found in the validator from time to time, so in some rare cases, valid sites do not validate, or errors are not caught. Therefore it is a good idea to review the list of known bugs on the validator Web site and check to see if any of them may be applicable to you. If you have configured your Web server to issue P3P headers, you need to make sure that your server is actually issuing those headers. The validator report will indicate whether or not the validator received any valid P3P headers from your Web site.

Related Reading

Web Privacy with P3P
By Lorrie Faith Cranor

Once you have validated your site, you should test it with at least one P3P user agent, and, if possible, with all P3P user agents that visitors to your site might be using. Right now I would advise Webmasters test their P3P implementations using IE6, Netscape 7, and the AT&T Privacy Bird. The first thing to test with all three of these P3P user agents is whether they can produce a human-readable summary of your site's P3P policy. You can get that summary with Privacy Bird by clicking on the bird and selecting Policy Summary from the About This Site menu. IE6 will produce a policy summary if you select Privacy Report from the View Menu. In Netscape 7 you will need to go to the View menu, select Page Info, go to the Privacy tab, and click on the Summary button.

Besides verifying that all three user agents can produce a policy summary, you should also read the summaries and make sure they accurately reflect your privacy policy. This is a good way to spot any errors you may have made when encoding your privacy policy in XML. While we have found some rare cases where valid P3P policies are not properly displayed, or not displayed at all by one or more P3P user agents, generally, if your policy does not display properly, it indicates there is something wrong with your policy. If you make changes to your policy, you may need to clear your browser's cache or the Privacy Bird's cache before you see an updated policy summary.

If you have implemented compact policies on your Web site, you should also use IE6 and Netscape 7 to see how your cookies are handled. You should be sure to test URLs that result in your cookies being set in a third-party context (if your cookies are ever used in such a context). Use the browsers' default (medium) settings to make sure your cookies will not be blocked for most users. If IE6 displays an eye with a do-not-enter sign in the lower right hand corner, then your cookies are being blocked or restricted. Click on the eye for more information. Likewise, Netscape will display a cookie icon in the lower right hand corner when cookies are being blocked, restricted, or flagged. When these icons appear, it does not necessarily mean that your cookies are being blocked, so do read the more detailed information to find out how the browser is handling each cookie.

Related Article:

Help! IE6 Is Blocking My Cookies -- Lorrie Cranor, author of Web Privacy with P3P offers an introduction to P3P and an overview of what you need to do to prevent IE6 from blocking your cookies.

IE6 and Netscape 7 browsers may block, restrict, or flag cookies when they do not have a compact policy (or there is a problem with the compact policy) or when the compact policy indicates an "unsatisfactory" privacy practice. (Users may configure them to block cookies under other conditions as well). Several tools will tell you whether or not your compact policy will be considered satisfactory by IE6, including the IBM P3P Policy Editor and the P3P Compact Policy Translator.

Pages: 1, 2

Next Pagearrow