- Print
- DarkLight
- PDF
The Platform for Privacy Preferences Project (P3P) was developed by the World Wide Web Consortium. P3P provides an automated way for Web site users to control how personal information is used as they interact with Web sites. Essentially, P3P allows users to dictate interactions with Web sites based on the intended usage of information gathered during their visits.
This section provides information about configuring SDC to use your P3P settings. For more information about P3P, see www.w3c.org
.
How SDC Supports P3P
SDC is a specialized Web server that you can configure to communicate your company’s P3P policy to Web clients (browsers). As part of the typical interaction between Web clients and SDC, a valid HTTP response is returned to the Web client. If SDC is configured to track cookies, the HTTP response includes a Set-Cookie directive. Web clients that are P3P-aware, such as Internet Explorer, read the P3P data provided by Web sites and compare that data to the Web site user’s privacy preferences. The cookie may be rejected, downgraded, or leashed depending on whether the response is considered innocuous. How P3P-aware browsers handle a cookie is typically based on the existence of and the values included in a P3P compact policy which is available in the HTTP response.
How Internet Explorer Handles SDC Cookies
Microsoft Internet Explorer takes action on cookies based on the context in which the cookie was sent and on the content of its compact policy. Depending on the situation, Internet Explorer accepts, denies, downgrades, or leashes the cookie. A downgraded cookie is a persistent cookie that is deleted when the browsing session ends or the cookie expires, whichever comes first. A leashed cookie is one that is only sent on requests to download first-party content. When requests are made for third-party content, these cookies are suppressed and not sent. For example, suppose www.abcxyz.com
is in the first-party context and sets a cookie in Internet Explorer 6. Suppose also that this cookie is leashed. When www.abcxyz.com
is later present in a third-party context, the cookie is suppressed.
Understanding P3P Headers
In order make your privacy policy readable to P3P-aware browsers, SDC provides a means to include a P3P header in the HTTP response from SDC to the Web clients. Although providing this information is optional, it is common practice for Web sites that set cookies to provide a compact policy. The P3P header can contain your company’s compact policy and/or a reference to your company's detailed privacy policy.
The format of the P3P response header is as follows:
P3P: CP="compact policy", policyref="URI to privacy policy"
where
compact policy is your company's compact privacy policy.
URI to privacy policy is the URI to your company's human readable privacy policy which is hosted by your Web site server.
The following examples show valid P3P response headers.
P3P: CP="PSA CON OTR", policy="http://www.acompany.com/w3c/policy.xml"
P3P: policy="http://www.acompany.com/w3c/policy.xml"
P3P: CP="PSA CON OTR"
The SDC installation directory/dcwebroot/w3c directory includes a sample privacy policy, p3p.xml.sample
, that shows the type of information included in a privacy report. Use this sample file as a reference only. Your privacy policy file should be hosted by your Web site server rather than the SDC server and should reflect your organization’s privacy statement.
Configuring SDC to Issue a P3P Response Header
You can configure SDC to include the same P3P header for every response (global), or different P3P headers based on the resource accessed (per hit). The per hit method allows you to define separate P3P policies for different sections within a Web site.
Global P3P Configuration
You can configure SDC to issue the same P3P header for every response. If you specified a P3P response header during the SDC installation, you do not need to configure global P3P settings.
To issue a global P3P header:
Edit the
dcs.cfg
file.In the
[logserver]
section, set thep3pfrom
setting toglobal
.Set the
P3P
setting to the exact string that is to be included in the P3P HTTP header, including double quotes. You should modify the default setting to reflect your organization’s P3P compact policy.For example, configuring the following settings in the
dcs.cfg
filep3pfrom=global
P3P=CP="PSA CON OTR",policyref="http://www.acompany.com/w3c/policy.xml"
results in the following P3P response header:
P3P: CP="PSA CON OTR",policyref="http://www.acompany.com/w3c/policy.xml"
For more information about the
dsc.cfg
settings, see “logserver Section.”
to the first article in this subcategory (guide)
sw
Per Hit P3P Configuration
You can configure SDC to issue a P3P header according to the resource accessed for that hit.
To issue P3P headers on a per hit basis:
- Edit the
dcs.cfg
file. - In the
[logserver]
section, set thep3pfrom
setting tohit
. - If your P3P header will contain a compact policy, generate P3P compact policy identifier. For more information, see “Generating Compact Policy Identifiers,” below.
- Include the P3P compact policy identifier and/or
policyref
in the SDC JavaScript tag or META tag.
Generating Compact Policy Identifiers
If the P3P header is to contain a compact policy, you need a compact policy identifier to place in the SDC tag. The identifier is a 25-digit hexadecimal value that SDC translates into compact policy tokens. You can generate identifiers using the lfmcp
utility which is included with the SDC installation.
The SDC compact policy utility (lfmcp
) is a command line tool that generates a compact policy identifier that you should use in the SDC JavaScript tag or META tag. The identifier has the following syntax:
lfmcp [-option] [key=value]
where [-option]
is one of the following:
-help
Displays help information.-showtokens
Displays the list of P3P compact policy tokens.-showmap
Displays compact policy token to the identifier map.
and [key=value]
is one of the following:
cp=token[,token,...]|@file
Specifies a list of P3P compact policy tokens to convert into identifiers.id=value|@file
Specifies an identifier to convert into a list of P3P compact policy tokens.
Valid P3P compact policy tokens are as defined by the World Wide Web Consortium (http://www.w3.org
). See the -showtokens option
. Tokens may be specified on the command line using a comma-delimited list, or by using a response file.
For example, suppose you wanted to define your compact policy using the following tokens: PSA
, CON
, OTR
.
Generate the compact policy identifier by invoking lfmcp
as follows:
lfmcp cp=PSA,CON,OTR
lfmcp - SDC P3P Compact Policy utility.
(c) Copyright 2002, WebTrends Corp. All rights reserved.
Compact Policy:
PSA CON OTR
Identifier:
0000000080800000000000200
Include P3P Header Information in the Tag
You can configure your SDC JavaScript tag to pass the compact policy and/or policyref
for a given resource by enabling the dcsp3p
parameter. For more information about modifying the SDC tag, see “Tagging Web Pages for SDC” in the SmartSource Data Collector User’s Guide.
If you want to include the P3P header in your HTML META tags, add the following tag to the header:
<META NAME="DCS.dcsp3p" CONTENT="compactpolicyid,policyref">
If you want to modify the SDC JavaScript tag directly, add the following line:
DCS.dcsp3p="compactpolicyid,policyref";
where
compactpolicyid
Specifies the compact policy to include in the P3P response header. The identifier is a 25-digit hexadecimal value that is translated by SDC into to a series of compact policy tokens. You can get this value by using the lfmcp
utility.
policyref
Specifies the URI of the policyref to include in the P3P response header. Do not enclose the URI in quotes.
The dcsp3p
parameter may contain a compact policy identifier, a policyref
, or both.
The following are examples of P3P headers and the corresponding SDC tag modifications needed to generate the headers.
Example 1 - Compact policy and policyref
P3P Header : P3P: CP="PSA CON OTR",policyref="http://www.acompany.com/w3c/policy.xml"
SDC Tag : DCS.dcsp3p=”0000000080800000000000200,http://www.acompany.com/w3c/policy.xml";
Example 2 - Policyref only
P3P Header: P3P: policyref="http://www.acompany.com/w3c/policy.xml"
SDC Tag: DCS.dcsp3p=”,http://www.acompany.com/w3c/policy.xml";
Example 3 - Compact policy only
P3P Header: P3P: CP="PSA CON OTR"
SDC Tag: DCS.dcsp3p=”0000000080800000000000200";
In addition, you must configure the <NOSCRIPT>
section appropriately by modifying
SRC=http://@@DOMAIN@@/njs.gif?dcsuri=/nojavascript
to
SRC=http://@@DOMAIN@@/njs.gif?dcsuri=/nojavascript&dcsp3p=compactpolicyid,policyref