Web DevCenter
oreilly.comSafari Books Online.Conferences.
MySQL Conference and Expo April 14-17, 2008, Santa Clara, CA

Sponsored Developer Resources

Web Columns
Adobe GoLive
Essential JavaScript

Web Topics
All Articles
Scripting Languages

Atom 1.0 Feed RSS 1.0 Feed RSS 2.0 Feed

Learning Lab

A Webmaster's Guide to Troubleshooting P3P
Pages: 1, 2

Common P3P Policy Problems

A frequent problem I see with Web site P3P policies is that they mention only data they collect explicitly from Web forms. Don't forget to mention Web log files too. Almost every site keeps Web log files. Unless you know for a fact that your site keeps no Web logs, make sure you mention them in your P3P policy. Several examples of how to do this are explained at the end of Chapter 9, "Data Schemas," in my book.

Some P3P policies do not disclose all of the data associated with cookies. It is not sufficient to describe only the data stored in a cookie; you must also describe the data linked to the cookie. So, for example, if the cookie contains a unique identifier that is used as a database key, all of the types of information in that database must also be described. You must also be aware of how this data will be used by all of the sites in your domain to which the cookie might be replayed.

Some policies disclose the contact purpose unnecessarily. The contact purpose need only be disclosed if the site may contact visitors for marketing. If the site contacts visitors only in response to their emails or as part of performing the service the visitor requested (unless the requested service is marketing), then the contact purpose is not necessary.

Webmasters should make sure that if their sites indicate that opt-in or opt-out choices are available, then they should disclose an opturi that actually explains how to opt-in or opt-out. I've seen some sites point to a statement that says that it is possible to opt-out, but does not provide instructions on how to do it. I've also seen sites that incorrectly write an email address or phone number in the opturi field instead of providing a URL. A mailto URL is also not a valid opturi, as it provides no information about opt-out options.

Common Policy Reference File Problems

One of the most common errors I have seen in policy reference files are sites that include <include>/</include> in their policy reference file when they want to apply a policy to their entire site. This statement will apply the policy only to the home page. The correct way to apply a policy to an entire site is with <include>/*</include>. I have also seen sites that use a "\" character instead of a "/" character. The "\" character is incorrect.

It is easy to get confused about the absolute URL to which relative URLs are relative. Relative URLs in the about attribute are evaluated relative to the policy reference file (which is often in the /w3c directory). Relative URLs in INCLUDE and EXCLUDE elements are evaluated relative to the root of the host to which they are applied. To avoid some of this confusion, you can always begin your relative URLs with a "/" character to indicate that they are relative to the root of the host to which they are applied. Don't forget to include the name of the policy in the about attribute. The policy name is in the name attribute of the POLICY element. Add a pound sign (#) to the end of the URL for the policy file and then add the policy name. Thus, if a policy named "policy" was found in a file at http://www.example.com/w3c/policyfile.xml, then the about attribute would have the value http://www.example.com/w3c/policyfile.xml#policy. Because URLs cannot contain spaces unless they are properly escaped, do not put a space in your policy name.

If you want to apply your policy to cookies on your site, don't forget your COOKIE- INCLUDE elements. P3P user agents will not apply any policy to your cookies unless you have COOKIE-INCLUDE elements.

Don't put your policies and policy reference files on parts of your Web site that are password-protected or require authentication. A P3P user agent will usually not be able to authenticate itself and thus will not be able to fetch these files automatically. If you have a password-protected site that you want to P3P-enable, it's best to put your P3P files outside the password-protected area.

If you have a secure server that is addressed with URLs like https://www.example.com, and you are using the well-known location, make sure that a request to https://www.example.com/w3c/p3p.xml will return your policy reference file. If the policy reference file is not accessible with an https request, P3P user agents won't be able to find it.

Common Compact Policy Problems

If you think you've done everything right but IE6 is blocking your cookies under its default setting, it's time to do some more testing. First, you need to make sure that your compact policies are actually being served in the same response in which your cookies are being set. Then you need to make sure your compact policy syntax is correct--make sure you check the validator bug list too--and that your compact policy is considered "satisfactory."

I've corresponded with a number of implementers who were pulling their hair out trying to figure out why their cookies were being blocked, only to discover that their cookies were not really being blocked. After P3P-enabling your site or changing your compact policy configuration, make sure you delete the relevant cookies and restart your browser before testing. Otherwise you may be observing the behavior of legacy cookies that were not properly P3P-enabled.

Where to Turn for Help

I hope this article has helped you learn how to troubleshoot your P3P implementation. However, if you need more information there are several places you might turn to for help. The W3C P3P Web site, the P3P Toolbox Web site, and the Web site for my book all contain a variety of online resources that may be helpful. My book is also an excellent resource for Webmasters. In addition to providing a detailed tutorial on P3P-enabling a Web site, it also contains a lot of background on privacy issues, writing privacy policies, and more. Finally, the W3C's www-p3p-policy@w3.org mailing list is a good place to read about how other people solved P3P implementation problems and to post your own questions. To subscribe, email with "subscribe" in the subject line. The mailing list archive is available at lists.w3.org/Archives/Public/www-p3p-policy/.

O'Reilly & Associates recently released (September 2002) Web Privacy with P3P.

Lorrie Faith Cranor is an Associate Research Professor in the School of Computer Science and in the Engineering and Public Policy Department at Carnegie Mellon University. She is director of the CMU Usable Privacy and Security Laboratory (CUPS). She came to CMU in December 2003 after seven years at AT&T Labs-Research.

Return to the Web Development DevCenter.