P3P Made Simple

By default, IE will reject cookies coming from 3rd-party contexts. A 3rd-party context is one where the domain on the content is different than the domain of the page that pulls in that content. Possible third-party contexts include pretty much any element that accepts a URL: <script>, <img>, <link>, <frame>, <iframe>, <audio>,<video>, et cetera. It also includes cross-domainXmlHttpRequests which attempt to send cookies when thewithCredentials flag is set.

For instance, consider a webpage with a subframe, like this:

The 1st-Party Context is domain1.com and the 3rd-Party Context is domain2.com. By default, if the HTML content in the IFRAME tries to set a cookie, it will fail to do so. IE will behave as if the cookie from domain2.com doesn’t exist.

Unfortunately, IE’s F12 Developer Tools won’t show a warning when this happens. In older versions of IE, you’d see a little “eye” icon in the IE status bar, but that was removed in IE9. Today, to see that a cookie has been rejected, you have to click View > Web Page Privacy Policy.

That command will show you a summary of what happened to cookies during the loading of the page. For instance, loading this blog post yields the following:

Declare Your Policy

To get IE to accept cookies from your server in a 3rd-party context (or to get IE to resend a previously-set cookie toyour server when it is accessed in a 3rd-party context), you must declare the privacy policy that governs how your cookies will be used. That declaration takes the form of a P3P header on the HTTP response (or, less commonly, a META tag with the same content).

For instance, this blog sends the following:

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

Each token in the Compact Policy (CP) attribute has a particular meaning that explains in a machine-readable way how the cookie will be used. Fiddler’s Cookies Response Inspector breaks down the policy into English (well…legalese, at least :-)

Upon receiving a cookie, IE will automatically the cookie’s privacy policy to the user’s configured preferences when deciding whether or not to accept, restrict, or block the cookie.

The P3P statement must be provided by the 3rd party content. In our example:

…when the subframe tries to set a cookie, IE only considers the P3P statement from domain2.com. Adding a P3P statement to domain1.com will NOT change the cookie handling for the subframe.

A P3P statement is a legal declaration of how your cookie will be used. You shouldn’t just throw “whatever works” into a P3P header, or you might find yourself in violation of national privacy laws and/or subject to civil lawsuits.

From: http://blogs.msdn.com/b/ieinternals/archive/2013/09/17/simple-introduction-to-p3p-cookie-blocking-frame.aspx

A Quick Look at P3P的更多相关文章

  1. Security Report: Stop using relative path to import CSS files

    Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities   Early last year G ...

  2. IE block my cookie in iframe

    ---恢复内容开始--- There is a severe bug that a leader figured it out in a published project. In IE11, the ...

  3. [算法]——快速排序(Quick Sort)

    顾名思义,快速排序(quick sort)速度十分快,时间复杂度为O(nlogn).虽然从此角度讲,也有很多排序算法如归并排序.堆排序甚至希尔排序等,都能达到如此快速,但是快速排序使用更加广泛,以至于 ...

  4. Quick Cocos (2.2.5plus)CoinFlip解析(MenuScene display AdBar二次封装)

    转载自:http://cn.cocos2d-x.org/tutorial/show?id=1621 从Samples中找到CoinFlip文件夹,复制其中的 res 和 script 文件夹覆盖新建工 ...

  5. 《Qt Quick 4小时入门》学习笔记4

    http://edu.csdn.net/course/detail/1042/14806?auto_start=1 Qt Quick 4小时入门 第七章:处理鼠标与键盘事件 1.处理鼠标事件 鼠标信号 ...

  6. 《Qt Quick 4小时入门》学习笔记3

    http://edu.csdn.net/course/detail/1042/14807?auto_start=1 Qt Quick 4小时入门 第八章:Qt Quick中的锚(anchors)布局 ...

  7. 《Qt Quick 4小时入门》学习笔记2

    http://edu.csdn.net/course/detail/1042/14805?auto_start=1   Qt Quick 4小时入门 第五章:Qt Quick基本界面元素介绍   1. ...

  8. spring in action 4th --- quick start

    读spring in action. 环境搭建 quick-start依赖注入 面向切面 1.环境搭建 jdk1.8 gradle 2.12 Intelij idea 2016.2.1 1.1创建一个 ...

  9. A Quick Introduction to Linux Policy Routing

    A Quick Introduction to Linux Policy Routing 29 May 2013 In this post, I’m going to introduce you to ...

随机推荐

  1. 转:Android Context的理解

    转载请标明出处:http://blog.csdn.net/lmj623565791/article/details/40481055,本文出自:[张鸿洋的博客] 本文大多数内容翻译自:http://w ...

  2. 求LCA最近公共祖先的离线Tarjan算法_C++

    这个Tarjan算法是求LCA的算法,不是那个强连通图的 它是 离线 算法,时间复杂度是 O(m+n),m 是询问数,n 是节点数 它的优点是比在线算法好写很多 不过有些题目是强制在线的,此类离线算法 ...

  3. mysql-\g和\G的作用

    \g 的作用是分号和在sql语句中写’;’是等效的 \G 的作用是将查到的结构旋转90度变成纵向(可以将一个很长的行转为好看的格式) 这两个只能在DOS窗口使用,可视化工具中不能使用. 例如:

  4. ReferenceError与undefined的区别

    ReferenceError与undefined的区别 概述 ReferenceError 当尝试引用一个未定义的变量/函数时,就会抛出一个ReferenceError. undefined 当一个变 ...

  5. 安装ubuntu配置ssh

    vmware安装ubuntu后,必须配置网卡,重新设置MAC,否则无法连接网络(具体方法百度)NAT直连模式xshell连接时host为ifconfig显示的IP地址,不需要设置端口转发,端口还是22 ...

  6. JQuery实现多个菜单的显示隐藏

    (如有错敬请指点,以下是我工作中遇到并且解决的问题) 效果图: 点击各个菜单显示/隐藏,以及点击灰色部分隐藏. 比如点击了第一个菜单,然后点击第二个菜单,第一个菜单会隐藏,再显示第二个菜单,不会叠加. ...

  7. Selenium2+python自动化5-操作浏览器基本方法【转载】

    前言前面已经把环境搭建好了,这从这篇开始,正式学习selenium的webdriver框架.我们平常说的 selenium自动化,其实它并不是类似于QTP之类的有GUI界面的可视化工具,我们要学的是w ...

  8. [jquery] 给动态生成的元素绑定事件 on方法

    用底下的方法尝试了好多次都失败 $('.del').on('click',function(){ alert('aa'); })// 失败!! 终于在准备放弃前看到一篇博文说的方法 $(documen ...

  9. 线段树【p2629】 好消息,坏消息

    顾z 你没有发现两个字里的blog都不一样嘛 qwq 题目描述-->p2629 好消息,坏消息 历程 刚开始看到这个题,发现是需要维护区间和,满心欢喜敲了一通线段树,简单debug之后交上去 \ ...

  10. 【bzoj2839】【集合计数】容斥原理+线性求阶乘逆元小技巧

    (上不了p站我要死了,侵权度娘背锅) Description 一个有N个元素的集合有2^N个不同子集(包含空集),现在要在这2^N个集合中取出若干集合(至少一个),使得 它们的交集的元素个数为K,求取 ...