P3P Made Simple

By default, IE will reject cookies coming from 3rd-party contexts. A 3rd-party context is one where the domain on the content is different than the domain of the page that pulls in that content. Possible third-party contexts include pretty much any element that accepts a URL: <script>, <img>, <link>, <frame>, <iframe>, <audio>,<video>, et cetera. It also includes cross-domainXmlHttpRequests which attempt to send cookies when thewithCredentials flag is set.

For instance, consider a webpage with a subframe, like this:

The 1st-Party Context is domain1.com and the 3rd-Party Context is domain2.com. By default, if the HTML content in the IFRAME tries to set a cookie, it will fail to do so. IE will behave as if the cookie from domain2.com doesn’t exist.

Unfortunately, IE’s F12 Developer Tools won’t show a warning when this happens. In older versions of IE, you’d see a little “eye” icon in the IE status bar, but that was removed in IE9. Today, to see that a cookie has been rejected, you have to click View > Web Page Privacy Policy.

That command will show you a summary of what happened to cookies during the loading of the page. For instance, loading this blog post yields the following:

Declare Your Policy

To get IE to accept cookies from your server in a 3rd-party context (or to get IE to resend a previously-set cookie toyour server when it is accessed in a 3rd-party context), you must declare the privacy policy that governs how your cookies will be used. That declaration takes the form of a P3P header on the HTTP response (or, less commonly, a META tag with the same content).

For instance, this blog sends the following:

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

Each token in the Compact Policy (CP) attribute has a particular meaning that explains in a machine-readable way how the cookie will be used. Fiddler’s Cookies Response Inspector breaks down the policy into English (well…legalese, at least :-)

Upon receiving a cookie, IE will automatically the cookie’s privacy policy to the user’s configured preferences when deciding whether or not to accept, restrict, or block the cookie.

The P3P statement must be provided by the 3rd party content. In our example:

…when the subframe tries to set a cookie, IE only considers the P3P statement from domain2.com. Adding a P3P statement to domain1.com will NOT change the cookie handling for the subframe.

A P3P statement is a legal declaration of how your cookie will be used. You shouldn’t just throw “whatever works” into a P3P header, or you might find yourself in violation of national privacy laws and/or subject to civil lawsuits.

From: http://blogs.msdn.com/b/ieinternals/archive/2013/09/17/simple-introduction-to-p3p-cookie-blocking-frame.aspx

A Quick Look at P3P的更多相关文章

  1. Security Report: Stop using relative path to import CSS files

    Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities   Early last year G ...

  2. IE block my cookie in iframe

    ---恢复内容开始--- There is a severe bug that a leader figured it out in a published project. In IE11, the ...

  3. [算法]——快速排序(Quick Sort)

    顾名思义,快速排序(quick sort)速度十分快,时间复杂度为O(nlogn).虽然从此角度讲,也有很多排序算法如归并排序.堆排序甚至希尔排序等,都能达到如此快速,但是快速排序使用更加广泛,以至于 ...

  4. Quick Cocos (2.2.5plus)CoinFlip解析(MenuScene display AdBar二次封装)

    转载自:http://cn.cocos2d-x.org/tutorial/show?id=1621 从Samples中找到CoinFlip文件夹,复制其中的 res 和 script 文件夹覆盖新建工 ...

  5. 《Qt Quick 4小时入门》学习笔记4

    http://edu.csdn.net/course/detail/1042/14806?auto_start=1 Qt Quick 4小时入门 第七章:处理鼠标与键盘事件 1.处理鼠标事件 鼠标信号 ...

  6. 《Qt Quick 4小时入门》学习笔记3

    http://edu.csdn.net/course/detail/1042/14807?auto_start=1 Qt Quick 4小时入门 第八章:Qt Quick中的锚(anchors)布局 ...

  7. 《Qt Quick 4小时入门》学习笔记2

    http://edu.csdn.net/course/detail/1042/14805?auto_start=1   Qt Quick 4小时入门 第五章:Qt Quick基本界面元素介绍   1. ...

  8. spring in action 4th --- quick start

    读spring in action. 环境搭建 quick-start依赖注入 面向切面 1.环境搭建 jdk1.8 gradle 2.12 Intelij idea 2016.2.1 1.1创建一个 ...

  9. A Quick Introduction to Linux Policy Routing

    A Quick Introduction to Linux Policy Routing 29 May 2013 In this post, I’m going to introduce you to ...

随机推荐

  1. Mysql 索引原理(转自:张洋)

    摘要 本文以MySQL数据库为 研究对象,讨论与数据库索引相关的一些话题.特别需要说明的是,MySQL支持诸多存储引擎,而各种存储引擎对索引的支持也各不相同,因此MySQL数据 库支持多种索引类型,如 ...

  2. redis的五种基本数据类型

    redis基本数据类型 redis一共分为5中基本数据类型:String,Hash,List,Set,ZSet 第一种String String类型是包含很多种类型的特殊类型,并且是二进制安全的.比如 ...

  3. 自定义View Measure过程(2)

    目录 目录 1. 作用 测量View的宽/高 在某些情况下,需要多次测量(measure)才能确定View最终的宽/高: 在这种情况下measure过程后得到的宽/高可能是不准确的: 建议在layou ...

  4. 在Framework2.0环境下运行3.5的代码

    因为许多的服务器特别是廉价的服务器上使用的是Framework的v2.0.50727.再加上自己开发的算是产品,所以就需要降低一些客户的前期成本,而自己同时也喜欢简单的代码.后来查了下,得知其实Fra ...

  5. c中结构体的4种定义

    1.常规的标准方式: 1 #include <stdio.h>  2   3 struct student{  4     int age;  5     float score;  6 ...

  6. python--线程池(concurrent.futures)

    #!/usr/bin/env python # -*- coding:utf-8 -*- # author:love_cat # 为什么需要线程池 # 1.主线程中可以获取某一个线程的状态或者某一个任 ...

  7. sql server判断数据库、表、列、视图是否存在

    1 判断数据库是否存在 if exists (select * from sys.databases where name = '数据库名') drop database [数据库名] 2 判断表是否 ...

  8. Appium+python自动化1-环境搭建(上)【转载】

    前言 appium可以说是做app最火的一个自动化框架,它的主要优势是支持android和ios,另外脚本语言也是支持java和Python.小编擅长Python,所以接下来的教程是appium+py ...

  9. URl 传参时+号变成空格

    前端用base64加密后的数据,传递到后台时发现一个问题: 比如 韩飞 这个名字,base64加密后的字符串为 6Z+p6aOe 但是后端接受到参数为: 6Z p6aOe +号变成了空格,导致后台解密 ...

  10. 4.NFC前台调度系统

    使用目的:当前Activity能直接响应NFC标签,而不需要用户在choose所有能处理的Activity. 使用步骤: 第一步:在onCreate()方法中,创建一个PendingIntent对象 ...