P3P Made Simple

By default, IE will reject cookies coming from 3rd-party contexts. A 3rd-party context is one where the domain on the content is different than the domain of the page that pulls in that content. Possible third-party contexts include pretty much any element that accepts a URL: <script>, <img>, <link>, <frame>, <iframe>, <audio>,<video>, et cetera. It also includes cross-domainXmlHttpRequests which attempt to send cookies when thewithCredentials flag is set.

For instance, consider a webpage with a subframe, like this:

The 1st-Party Context is domain1.com and the 3rd-Party Context is domain2.com. By default, if the HTML content in the IFRAME tries to set a cookie, it will fail to do so. IE will behave as if the cookie from domain2.com doesn’t exist.

Unfortunately, IE’s F12 Developer Tools won’t show a warning when this happens. In older versions of IE, you’d see a little “eye” icon in the IE status bar, but that was removed in IE9. Today, to see that a cookie has been rejected, you have to click View > Web Page Privacy Policy.

That command will show you a summary of what happened to cookies during the loading of the page. For instance, loading this blog post yields the following:

Declare Your Policy

To get IE to accept cookies from your server in a 3rd-party context (or to get IE to resend a previously-set cookie toyour server when it is accessed in a 3rd-party context), you must declare the privacy policy that governs how your cookies will be used. That declaration takes the form of a P3P header on the HTTP response (or, less commonly, a META tag with the same content).

For instance, this blog sends the following:

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

Each token in the Compact Policy (CP) attribute has a particular meaning that explains in a machine-readable way how the cookie will be used. Fiddler’s Cookies Response Inspector breaks down the policy into English (well…legalese, at least :-)

Upon receiving a cookie, IE will automatically the cookie’s privacy policy to the user’s configured preferences when deciding whether or not to accept, restrict, or block the cookie.

The P3P statement must be provided by the 3rd party content. In our example:

…when the subframe tries to set a cookie, IE only considers the P3P statement from domain2.com. Adding a P3P statement to domain1.com will NOT change the cookie handling for the subframe.

A P3P statement is a legal declaration of how your cookie will be used. You shouldn’t just throw “whatever works” into a P3P header, or you might find yourself in violation of national privacy laws and/or subject to civil lawsuits.

From: http://blogs.msdn.com/b/ieinternals/archive/2013/09/17/simple-introduction-to-p3p-cookie-blocking-frame.aspx

A Quick Look at P3P的更多相关文章

  1. Security Report: Stop using relative path to import CSS files

    Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities   Early last year G ...

  2. IE block my cookie in iframe

    ---恢复内容开始--- There is a severe bug that a leader figured it out in a published project. In IE11, the ...

  3. [算法]——快速排序(Quick Sort)

    顾名思义,快速排序(quick sort)速度十分快,时间复杂度为O(nlogn).虽然从此角度讲,也有很多排序算法如归并排序.堆排序甚至希尔排序等,都能达到如此快速,但是快速排序使用更加广泛,以至于 ...

  4. Quick Cocos (2.2.5plus)CoinFlip解析(MenuScene display AdBar二次封装)

    转载自:http://cn.cocos2d-x.org/tutorial/show?id=1621 从Samples中找到CoinFlip文件夹,复制其中的 res 和 script 文件夹覆盖新建工 ...

  5. 《Qt Quick 4小时入门》学习笔记4

    http://edu.csdn.net/course/detail/1042/14806?auto_start=1 Qt Quick 4小时入门 第七章:处理鼠标与键盘事件 1.处理鼠标事件 鼠标信号 ...

  6. 《Qt Quick 4小时入门》学习笔记3

    http://edu.csdn.net/course/detail/1042/14807?auto_start=1 Qt Quick 4小时入门 第八章:Qt Quick中的锚(anchors)布局 ...

  7. 《Qt Quick 4小时入门》学习笔记2

    http://edu.csdn.net/course/detail/1042/14805?auto_start=1   Qt Quick 4小时入门 第五章:Qt Quick基本界面元素介绍   1. ...

  8. spring in action 4th --- quick start

    读spring in action. 环境搭建 quick-start依赖注入 面向切面 1.环境搭建 jdk1.8 gradle 2.12 Intelij idea 2016.2.1 1.1创建一个 ...

  9. A Quick Introduction to Linux Policy Routing

    A Quick Introduction to Linux Policy Routing 29 May 2013 In this post, I’m going to introduce you to ...

随机推荐

  1. mysql 导入

    1.默认情况下:MySQL导入文件大小有限制的,最大为2M,所以当文件很大时候,直接无法导入,可修改php.ini参数调整: 在php.ini中修改相关参数: 影响MySQL导入文件大小的参数有三个: ...

  2. 最全面的Android Webview详解

    转自:最全面的Android Webview详解 前言 现在很多App里都内置了Web网页(Hyprid App),比如说很多电商平台,淘宝.京东.聚划算等等,如下图  那么这种该如何实现呢?其实这是 ...

  3. Poj 2096 Collecting Bugs (概率DP求期望)

    C - Collecting Bugs Time Limit:10000MS     Memory Limit:64000KB     64bit IO Format:%I64d & %I64 ...

  4. C++自带向量_vector_C++

    vector 向量,是C++自带的一种容器,其实就是一个升级版的数组 因为它使用的是动态空间,所以当我们不确定数组空间的时候可以使用它 若要使用需打开头文件 #include<vector> ...

  5. go环境安装

    选择想要安装的版本: http://golangtc.com/download tar -zxf go1.8.linux-amd64.tar.gz cp -R go/ /usr/local/ vi / ...

  6. error C2440: 'static_cast' : cannot convert from 'UINT (__thiscall CStaticLink::* )(CPoint)' to 'LRESULT (__thiscall CWnd::* )(CPoint) (转)

    原文转自 http://blog.csdn.net/yinxing408033943/article/details/7601698 解决方法: 找到  UNIT CStaticLink::OnNcH ...

  7. 链表各种操作及其实现方法(c实现)

    链表是一种最简单的数据结构之一,经常会被面试官用来考察应聘者的基础扎不扎实,最近也到了求职季,所以我把自己对链表的一些理解写出来,希望能跟大家交流交流: 链表的概念其实挺简单,无非就是一个利用指针将数 ...

  8. pymongo.errors.BulkWriteError错误排解

    在mongodb进行数据库操作的时候触发异常   pymongo Error: pymongo.errors.BulkWriteError: batch op errors occurred 这种问题 ...

  9. django返回响应对象

    Django的视图必须要返回一个HttpResponse对象(或者其子类对象),不能像flask一样直接返回字符串. Django: return HttpResponse("Hello&q ...

  10. Selenium2+python自动化6-八种元素元素定位(Firebug和firepath)【转载】

    前言 自动化只要掌握四步操作:获取元素,操作元素,获取返回结果,断言(返回结果与期望结果是否一致),最后自动出测试报告.本篇主要讲如何用firefox辅助工具进行元素定位.元素定位在这四个环节中是至关 ...