Contents x
    P3P and SDC
    • 16 Apr 2020
    • 6 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    • PDF
    Contents

    P3P and SDC

    • Updated on 16 Apr 2020
    • 6 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    • PDF
    Article Summary

    The Platform for Privacy Preferences Project (P3P) was developed by the World Wide Web Consortium. P3P provides an automated way for Web site users to control how personal information is used as they interact with Web sites. Essentially, P3P allows users to dictate interactions with Web sites based on the intended usage of information gathered during their visits.

    This section provides information about configuring SDC to use your P3P settings. For more information about P3P, see www.w3c.org.

    How SDC Supports P3P

    SDC is a specialized Web server that you can configure to communicate your company’s P3P policy to Web clients (browsers). As part of the typical interaction between Web clients and SDC, a valid HTTP response is returned to the Web client. If SDC is configured to track cookies, the HTTP response includes a Set-Cookie directive. Web clients that are P3P-aware, such as Internet Explorer, read the P3P data provided by Web sites and compare that data to the Web site user’s privacy preferences. The cookie may be rejected, downgraded, or leashed depending on whether the response is considered innocuous. How P3P-aware browsers handle a cookie is typically based on the existence of and the values included in a P3P compact policy which is available in the HTTP response.

    How Internet Explorer Handles SDC Cookies

    Microsoft Internet Explorer takes action on cookies based on the context in which the cookie was sent and on the content of its compact policy. Depending on the situation, Internet Explorer accepts, denies, downgrades, or leashes the cookie. A downgraded cookie is a persistent cookie that is deleted when the browsing session ends or the cookie expires, whichever comes first. A leashed cookie is one that is only sent on requests to download first-party content. When requests are made for third-party content, these cookies are suppressed and not sent. For example, suppose www.abcxyz.com is in the first-party context and sets a cookie in Internet Explorer 6. Suppose also that this cookie is leashed. When www.abcxyz.com is later present in a third-party context, the cookie is suppressed.

    Understanding P3P Headers

    In order make your privacy policy readable to P3P-aware browsers, SDC provides a means to include a P3P header in the HTTP response from SDC to the Web clients. Although providing this information is optional, it is common practice for Web sites that set cookies to provide a compact policy. The P3P header can contain your company’s compact policy and/or a reference to your company's detailed privacy policy.

    The format of the P3P response header is as follows:

    P3P: CP="compact policy", policyref="URI to privacy policy"

    where

    compact policy is your company's compact privacy policy.

    URI to privacy policy is the URI to your company's human readable privacy policy which is hosted by your Web site server.

    The following examples show valid P3P response headers.

    P3P: CP="PSA CON OTR", policy="http://www.acompany.com/w3c/policy.xml"
    P3P: policy="http://www.acompany.com/w3c/policy.xml"
    P3P: CP="PSA CON OTR"

    Note

    The SDC installation directory/dcwebroot/w3c directory includes a sample privacy policy, p3p.xml.sample, that shows the type of information included in a privacy report. Use this sample file as a reference only. Your privacy policy file should be hosted by your Web site server rather than the SDC server and should reflect your organization’s privacy statement.

    Configuring SDC to Issue a P3P Response Header

    You can configure SDC to include the same P3P header for every response (global), or different P3P headers based on the resource accessed (per hit). The per hit method allows you to define separate P3P policies for different sections within a Web site.

    Global P3P Configuration

    You can configure SDC to issue the same P3P header for every response. If you specified a P3P response header during the SDC installation, you do not need to configure global P3P settings.

    To issue a global P3P header:

    1. Edit the dcs.cfg file.

    2. In the [logserver] section, set the p3pfrom setting to global.

    3. Set the P3P setting to the exact string that is to be included in the P3P HTTP header, including double quotes. You should modify the default setting to reflect your organization’s P3P compact policy.

      For example, configuring the following settings in the dcs.cfg file

      p3pfrom=global
      P3P=CP="PSA CON OTR",policyref="http://www.acompany.com/w3c/policy.xml"

      results in the following P3P response header:

      P3P: CP="PSA CON OTR",policyref="http://www.acompany.com/w3c/policy.xml"

      For more information about the dsc.cfg settings, see “logserver Section.”

    link above

    to the first article in this subcategory (guide)

    sw

    Per Hit P3P Configuration

    You can configure SDC to issue a P3P header according to the resource accessed for that hit.

    To issue P3P headers on a per hit basis:

    1. Edit the dcs.cfg file.
    2. In the [logserver] section, set the p3pfrom setting to hit.
    3. If your P3P header will contain a compact policy, generate P3P compact policy identifier. For more information, see “Generating Compact Policy Identifiers,” below.
    4. Include the P3P compact policy identifier and/or policyref in the SDC JavaScript tag or META tag.

    Generating Compact Policy Identifiers

    If the P3P header is to contain a compact policy, you need a compact policy identifier to place in the SDC tag. The identifier is a 25-digit hexadecimal value that SDC translates into compact policy tokens. You can generate identifiers using the lfmcp utility which is included with the SDC installation.

    The SDC compact policy utility (lfmcp) is a command line tool that generates a compact policy identifier that you should use in the SDC JavaScript tag or META tag. The identifier has the following syntax:

    lfmcp [-option] [key=value]

    where [-option] is one of the following:

    • -help Displays help information.

    • -showtokens Displays the list of P3P compact policy tokens.

    • -showmap Displays compact policy token to the identifier map.

    and [key=value] is one of the following:

    • cp=token[,token,...]|@fileSpecifies a list of P3P compact policy tokens to convert into identifiers.

    • id=value|@fileSpecifies an identifier to convert into a list of P3P compact policy tokens.

    Valid P3P compact policy tokens are as defined by the World Wide Web Consortium (http://www.w3.org). See the -showtokens option. Tokens may be specified on the command line using a comma-delimited list, or by using a response file.

    For example, suppose you wanted to define your compact policy using the following tokens: PSA, CON, OTR.

    Generate the compact policy identifier by invoking lfmcp as follows:

    lfmcp cp=PSA,CON,OTR

    lfmcp - SDC P3P Compact Policy utility.
    (c) Copyright 2002, WebTrends Corp. All rights reserved.

    Compact Policy:
    PSA CON OTR

    Identifier:
    0000000080800000000000200

    Include P3P Header Information in the Tag

    You can configure your SDC JavaScript tag to pass the compact policy and/or policyref for a given resource by enabling the dcsp3p parameter. For more information about modifying the SDC tag, see “Tagging Web Pages for SDC” in the SmartSource Data Collector User’s Guide.

    If you want to include the P3P header in your HTML META tags, add the following tag to the header:
    <META NAME="DCS.dcsp3p" CONTENT="compactpolicyid,policyref">

    If you want to modify the SDC JavaScript tag directly, add the following line:
    DCS.dcsp3p="compactpolicyid,policyref";

    where
    compactpolicyid
    Specifies the compact policy to include in the P3P response header. The identifier is a 25-digit hexadecimal value that is translated by SDC into to a series of compact policy tokens. You can get this value by using the lfmcp utility.

    policyref
    Specifies the URI of the policyref to include in the P3P response header. Do not enclose the URI in quotes.

    The dcsp3p parameter may contain a compact policy identifier, a policyref, or both.

    The following are examples of P3P headers and the corresponding SDC tag modifications needed to generate the headers.

    Example 1 - Compact policy and policyref

    P3P Header : P3P: CP="PSA CON OTR",policyref="http://www.acompany.com/w3c/policy.xml"
    SDC Tag : DCS.dcsp3p=”0000000080800000000000200,http://www.acompany.com/w3c/policy.xml";


    Example 2 - Policyref only

    P3P Header: P3P: policyref="http://www.acompany.com/w3c/policy.xml"
    SDC Tag: DCS.dcsp3p=”,http://www.acompany.com/w3c/policy.xml";



    Example 3 - Compact policy only

    P3P Header: P3P: CP="PSA CON OTR"
    SDC Tag: DCS.dcsp3p=”0000000080800000000000200";


    In addition, you must configure the <NOSCRIPT> section appropriately by modifying
    SRC=http://@@DOMAIN@@/njs.gif?dcsuri=/nojavascript
    to
    SRC=http://@@DOMAIN@@/njs.gif?dcsuri=/nojavascript&dcsp3p=compactpolicyid,policyref

    Was this article helpful?
    What's Next