Go to Home Page GuidesHow to ArticlesReviewsForumsFrequently Asked QuestionsNewsLinksPotpourri

Site Search

 

P3P Compact Privacy Policy
Last updated: 6/6/02

How to add a P3P compact privacy policy to the http headers for a web site running on an Apache web server and p3p privacy policy links. 

Well, no one has asked me this question yet; but I had a devil of a time with it... So, I'm adding it to our FAQs to hopefully help someone out. This fixed the Internet Explorer 6 (IE 6) cookie problems on my web site.

For dcforum administrators, the compact privacy policy below is what I have installed for my forums and it works with IE 6 set to the default privacy settings (Medium).

Make an Apache .htaccess file with a text editor such as notespad or wordpad (or edit an existing one--and don't wipe-out an existing one, such as those put on a web site by the FrontPage Server extensions) and put a line similar to the following in it:

header append P3P: 'CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"'

All on one line, of course.  The "' at the end of the line is made-up of " followed by a ' with no spaces.

Upload the file to the directory on the web server to be covered by the policy.  I uploaded .htaccess all of the P3P files with SmartFTP (http://www.smartftp.com/) in the ASCII transfer mode.  It will effect that directory and any subdirectories, etc. branching off from it, unless there is another .htaccess file in a subdirectory which overrides it or part of it.

You can check it with the HTTP Header Viewer at http://www.delorie.com/web/headers.html.

Here's an extract from my forum HTTP headers:

HTTP/1.1 200 OK
Date: Wed, 05 Jun 2002 20:42:55 GMT
Server: Apache/1.3.23
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"

To check it in IE 6, delete relevant cookies in C:\windows\cookies or wherever they are (I deleted the ones with duxcw--my domain is duxcw.com) in them, but they may not have that in them.  It may have your unix user name in it if you installed the script, etc. that does the cookie functions.  Open IE 6, Tools, Internet Options, Privacy... Click Edit in Web Sites, and Remove your web site if it is set to "Allow."  Then set the Security for the Site to Default, which is Medium.  After that, click Advanced, Override automatic cookie handling, set both for Prompt, OK, OK.  Now browse to the directory with the compact privacy policy and a page that does the cookies thing; e.g., in my case, our forums.  This should produce the prompt.  In the cookie prompt click More Info.  If the http header is working, you should see the compact privacy at the bottom of the bottom of the screen.   I saw nothing in that box until I got it right.  After testing reset your IE privacy to the desired configuration.  Also, one can view a web site's P3P Privacy Policy with IE 6 by clicking View, Privacy Report, Select the site or a directory of a site, and click Summary.

My forum directory is set-up with a separate P3P privacy policy than the rest of the site, because the forum software uses cookies.  If I used one P3P policy for the whole site it would unnecessarily restrict the privacy of that part of the site that does not use cookies and I would have to put a compact privacy policy HTTP header on every page on the site.  I will also add a third P3P policy for our Online Store as soon as I finish testing the new software and bring it on line.  The store will also use cookies, but it will be more restrictive than the forums.

The Apache documentation on the Header Directive is at http://httpd.apache.org/docs/mod/mod_headers.html#header.

I found Ken Coar's Using .htaccess Files with Apache at http://apache-server.com/tutorials/ATusing-htaccess.html quite useful.

The Platform for Privacy Preferences section of the W3C web site is at http://www.w3.org/P3P/.

The Platform for Privacy Preferences 1.0 Deployment Guide is available at http://www.w3.org/TR/2002/NOTE-p3pdeployment-20020211

I used the IBM P3P Policy Editor to make the compact privacy policy.  You can download it at http://www.alphaworks.ibm.com/tech/p3peditor.  Save your work if you intend to go to another application and copy some text to paste in P3P editor, because that caused it lockup frequently on my computer.

I also found that the IBM P3P Policy editor was rather difficult to understand and use until I read through most of The Platform for Privacy Preferences 1.0 (P3P1.0) Specification at http://www.w3.org/TR/2002/PR-P3P-20020128/.

The P3P Valuator at http://apache-server.com/tutorials/ATusing-htaccess.html will check your P3P Privacy Policy.  I had a problem with the valuator when it reported mismatched tags for one of my four P3P Privacy Policy entries in the p3p.xlm file (You will learn about that file in the references. The  IBM P3P Policy Editor generates it.). I inspected everything carefully and could not find anything wrong with the tags.  I redid the that section by copying, pasting, and editing one of the other entries, but the error kept appearing.  Finally I hand-typed the entry and that fixed it.  I can only guess that it was being caused by an invisible control code, a problem I have not seen in a long time.

Microsoft's has a rather long presentation on the IE 6 P3P cookie features.

Please, don't ask me my opinion of the wisdom (or lack of) behind the P3P Privacy Policy thing...

Larry

Webmaster FAQ Index

Copyright, Disclaimer, and Trademark Information Copyright © 1996-2006 Larry F. Byard.  All rights reserved. This material or parts thereof may not be copied, published, put on the Internet, rewritten, or redistributed without explicit, written permission from the author.