|MySQL Conference and Expo April 14-17, 2008, Santa Clara, CA|
A Webmaster's Guide to Troubleshooting P3P
Common P3P Policy Problems
A frequent problem I see with Web site P3P policies is that they mention only data they collect explicitly from Web forms. Don't forget to mention Web log files too. Almost every site keeps Web log files. Unless you know for a fact that your site keeps no Web logs, make sure you mention them in your P3P policy. Several examples of how to do this are explained at the end of Chapter 9, "Data Schemas," in my book.
Some P3P policies do not disclose all of the data associated with cookies. It is not sufficient to describe only the data stored in a cookie; you must also describe the data linked to the cookie. So, for example, if the cookie contains a unique identifier that is used as a database key, all of the types of information in that database must also be described. You must also be aware of how this data will be used by all of the sites in your domain to which the cookie might be replayed.
Some policies disclose the contact purpose unnecessarily. The contact purpose need only be disclosed if the site may contact visitors for marketing. If the site contacts visitors only in response to their emails or as part of performing the service the visitor requested (unless the requested service is marketing), then the contact purpose is not necessary.
Webmasters should make sure that if their sites indicate that opt-in or opt-out choices are available, then they should disclose an
Common Policy Reference File Problems
One of the most common errors I have seen in policy reference files are sites that include
It is easy to get confused about the absolute URL to which relative URLs are relative.
Relative URLs in the
If you want to apply your policy to cookies on your site, don't forget your
Don't put your policies and policy reference files on parts of your Web site that are password-protected or require authentication. A P3P user agent will usually not be able to authenticate itself and thus will not be able to fetch these files automatically. If you have a password-protected site that you want to P3P-enable, it's best to put your P3P files outside the password-protected area.
If you have a secure server that is addressed with URLs like https://www.example.com, and you are using the well-known location, make sure that a request to https://www.example.com/w3c/p3p.xml will return your policy reference file. If the policy reference file is not accessible with an https request, P3P user agents won't be able to find it.
Common Compact Policy Problems
If you think you've done everything right but IE6 is blocking your cookies under its default setting, it's time to do some more testing. First, you need to make sure that your compact policies are actually being served in the same response in which your cookies are being set. Then you need to make sure your compact policy syntax is correct--make sure you check the validator bug list too--and that your compact policy is considered "satisfactory."
I've corresponded with a number of implementers who were pulling their hair out trying to figure out why their cookies were being blocked, only to discover that their cookies were not really being blocked. After P3P-enabling your site or changing your compact policy configuration, make sure you delete the relevant cookies and restart your browser before testing. Otherwise you may be observing the behavior of legacy cookies that were not properly P3P-enabled.
Where to Turn for HelpI hope this article has helped you learn how to troubleshoot your P3P implementation. However, if you need more information there are several places you might turn to for help. The W3C P3P Web site, the P3P Toolbox Web site, and the Web site for my book all contain a variety of online resources that may be helpful. My book is also an excellent resource for Webmasters. In addition to providing a detailed tutorial on P3P-enabling a Web site, it also contains a lot of background on privacy issues, writing privacy policies, and more. Finally, the W3C's email@example.com mailing list is a good place to read about how other people solved P3P implementation problems and to post your own questions. To subscribe, email with "subscribe" in the subject line. The mailing list archive is available at lists.w3.org/Archives/Public/www-p3p-policy/.
O'Reilly & Associates recently released (September 2002) Web Privacy with P3P.
Lorrie Faith Cranor is an Associate Research Professor in the School of Computer Science and in the Engineering and Public Policy Department at Carnegie Mellon University. She is director of the CMU Usable Privacy and Security Laboratory (CUPS). She came to CMU in December 2003 after seven years at AT&T Labs-Research.
Return to the Web Development DevCenter.