P3P Made Simple

By default, IE will reject cookies coming from 3rd-party contexts. A 3rd-party context is one where the domain on the content is different than the domain of the page that pulls in that content. Possible third-party contexts include pretty much any element that accepts a URL: <script>, <img>, <link>, <frame>, <iframe>, <audio>,<video>, et cetera. It also includes cross-domainXmlHttpRequests which attempt to send cookies when thewithCredentials flag is set.

For instance, consider a webpage with a subframe, like this:

The 1st-Party Context is domain1.com and the 3rd-Party Context is domain2.com. By default, if the HTML content in the IFRAME tries to set a cookie, it will fail to do so. IE will behave as if the cookie from domain2.com doesn’t exist.

Unfortunately, IE’s F12 Developer Tools won’t show a warning when this happens. In older versions of IE, you’d see a little “eye” icon in the IE status bar, but that was removed in IE9. Today, to see that a cookie has been rejected, you have to click View > Web Page Privacy Policy.

That command will show you a summary of what happened to cookies during the loading of the page. For instance, loading this blog post yields the following:

Declare Your Policy

To get IE to accept cookies from your server in a 3rd-party context (or to get IE to resend a previously-set cookie toyour server when it is accessed in a 3rd-party context), you must declare the privacy policy that governs how your cookies will be used. That declaration takes the form of a P3P header on the HTTP response (or, less commonly, a META tag with the same content).

For instance, this blog sends the following:

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

Each token in the Compact Policy (CP) attribute has a particular meaning that explains in a machine-readable way how the cookie will be used. Fiddler’s Cookies Response Inspector breaks down the policy into English (well…legalese, at least :-)

Upon receiving a cookie, IE will automatically the cookie’s privacy policy to the user’s configured preferences when deciding whether or not to accept, restrict, or block the cookie.

The P3P statement must be provided by the 3rd party content. In our example:

…when the subframe tries to set a cookie, IE only considers the P3P statement from domain2.com. Adding a P3P statement to domain1.com will NOT change the cookie handling for the subframe.

A P3P statement is a legal declaration of how your cookie will be used. You shouldn’t just throw “whatever works” into a P3P header, or you might find yourself in violation of national privacy laws and/or subject to civil lawsuits.

From: http://blogs.msdn.com/b/ieinternals/archive/2013/09/17/simple-introduction-to-p3p-cookie-blocking-frame.aspx

A Quick Look at P3P的更多相关文章

  1. Security Report: Stop using relative path to import CSS files

    Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities   Early last year G ...

  2. IE block my cookie in iframe

    ---恢复内容开始--- There is a severe bug that a leader figured it out in a published project. In IE11, the ...

  3. [算法]——快速排序(Quick Sort)

    顾名思义,快速排序(quick sort)速度十分快,时间复杂度为O(nlogn).虽然从此角度讲,也有很多排序算法如归并排序.堆排序甚至希尔排序等,都能达到如此快速,但是快速排序使用更加广泛,以至于 ...

  4. Quick Cocos (2.2.5plus)CoinFlip解析(MenuScene display AdBar二次封装)

    转载自:http://cn.cocos2d-x.org/tutorial/show?id=1621 从Samples中找到CoinFlip文件夹,复制其中的 res 和 script 文件夹覆盖新建工 ...

  5. 《Qt Quick 4小时入门》学习笔记4

    http://edu.csdn.net/course/detail/1042/14806?auto_start=1 Qt Quick 4小时入门 第七章:处理鼠标与键盘事件 1.处理鼠标事件 鼠标信号 ...

  6. 《Qt Quick 4小时入门》学习笔记3

    http://edu.csdn.net/course/detail/1042/14807?auto_start=1 Qt Quick 4小时入门 第八章:Qt Quick中的锚(anchors)布局 ...

  7. 《Qt Quick 4小时入门》学习笔记2

    http://edu.csdn.net/course/detail/1042/14805?auto_start=1   Qt Quick 4小时入门 第五章:Qt Quick基本界面元素介绍   1. ...

  8. spring in action 4th --- quick start

    读spring in action. 环境搭建 quick-start依赖注入 面向切面 1.环境搭建 jdk1.8 gradle 2.12 Intelij idea 2016.2.1 1.1创建一个 ...

  9. A Quick Introduction to Linux Policy Routing

    A Quick Introduction to Linux Policy Routing 29 May 2013 In this post, I’m going to introduce you to ...

随机推荐

  1. 微信设置URL之WebApi方式

    微信公众号开发者设置里的URL,现在采用WebAPI的方式,结果一直报“未能正确设置Token”的错误,采用Handler和MVC的方式倒是可以. 解决步骤一,添加服务器IP到白名单. 解决步骤二,确 ...

  2. c/c++: c++函数返回类型什么情况带const

    c++ 函数的返回类型,包括const 什么时候起作用呢? 函数返回值不想其立即修改的. 例子如下,这是一个简单的避免产生隐形返回变量的方法,abc 的函数返回是引用,main函数中第10行,++ 操 ...

  3. redis集群PHP解决方案

    Redis3.2.4 Cluster集群搭建 服务器环境:192.168.3.229192.168.3.193每台服务器搭建3个节点,组成3个主节点,3个从节点的redis集群. 注意:防火墙一定要开 ...

  4. 解析 Lambda 表达式

    我们先创建一个表达式树: Expression<Func<int, int, int>> expression = (a,b) => a + b; 我们的例子是一个Exp ...

  5. 实现如下语法的功能:var a = (5).plus(3).minus(6); //2

    从汤姆大叔的博客里看到了6个基础题目:本篇是第5题 - 实现如下语法的功能:var a = (5).plus(3).minus(6); //2 解题关键: 1.理解使用(5)和5的区别 2.构造函数原 ...

  6. HashSet底层存储元素的源码分析

    此类实现 Set 接口,由哈希表(实际上是一个 HashMap 实例)支持.它不保证 set 的迭代顺序:特别是它不保证该顺序恒久不变.此类允许使用 null 元素. HashSet<Strin ...

  7. poj1185(状态压缩DP)

    poj1185 题意 给出字母矩阵,只能在字母为 P 的位置放置大炮, 如图所示,每个大炮的射程固定,现在要求尽可能多的放大炮,且使得每个大炮都不在其它大炮的射程内.问最多能放多少. 分析 poj32 ...

  8. SQL表操作习题1

    建表

  9. CSS3:transition过渡效果

    之前的transform 可以实现转换,但是一下子就放大缩小视觉上不太好看,要想渐变该如何呢?可以使用transition transition主要包含四个属性值: transition: prope ...

  10. (转载)EF 使用code first模式创建数据库和 填充种子数据

    第一篇:来自 .net 开发菜鸟 博主的文章:https://www.cnblogs.com/dotnet261010/p/8035213.html 第二篇:来自 JustYong 博主的文章:htt ...