420  

I got it to work, but the solution is a bit complex, so bear with me.

我让它工作，但是解决方法有点复杂，所以请耐心等待。

What's happening

As it is, Internet Explorer gives lower level of trust to IFRAME pages (IE calls this "third-party" content). If the page inside the IFRAME doesn't have a Privacy Policy, its cookies are blocked (which is indicated by the eye icon in status bar, when you click on it, it shows you a list of blocked URLs).

实际上，Internet Explorer对IFRAME页面(即所谓的“第三方”内容)提供了较低的信任级别。如果IFRAME中的页面没有隐私策略，那么它的cookie就会被阻塞(在状态栏中，当你点击它时，它会显示一个被屏蔽的url列表)。

the evil eye http://stuff.piskvor.org/cookies_blocked_MSIE_eye.png

邪恶之眼http://stuff.piskvor.org/cookies_blocked_MSIE_eye.png

In this case, when cookies are blocked, session identifier is not sent, and the target script throws a 'session not found' error.

在这种情况下，当cookie被阻塞时，会话标识符不会被发送，而目标脚本会抛出一个“未发现的会话”错误。

(I've tried setting the session identifier into the form and loading it from POST variables. This would have worked, but for political reasons I couldn't do that.)

(我尝试将会话标识符设置为表单并从POST变量中加载它。这是可行的，但出于政治原因，我不能这么做。

It is possible to make the page inside the IFRAME more trusted: if the inner page sends a P3P header with a privacy policy that is acceptable to IE, the cookies will be accepted.

可以使IFRAME内的页面更受信任:如果内部页面发送了一个P3P头文件，其隐私策略为IE所接受，那么cookie就会被接受。

How to solve it

Create a p3p policy

A good starting point is the W3C tutorial. I've gone through it, downloaded the IBM Privacy Policy Editor and there I created a representation of the privacy policy and gave it a name to reference it by (here it was policy1).

一个好的起点是W3C教程。我已经浏览过了，下载了IBM隐私政策编辑器，在那里我创建了一个隐私策略的表示，并给它一个名称来引用它(这里是policy1)。

NOTE: at this point, you actually need to find out if your site has a privacy policy, and if not, create it - whether it collects user data, what kind of data, what it does with it, who has access to it, etc. You need to find this information and think about it. Just slapping together a few tags will not cut it. This step cannot be done purely in software, and may be highly political (e.g. "should we sell our click statistics?").

注意:在这一点上,你真的需要找出如果你的网站有一个隐私政策,如果没有,创建它,无论是收集用户数据,什么样的数据,它所做的,谁有权访问它,等。你需要找到这个信息和思考。只要把几张标签拍在一起就行了。这一步不能完全用软件来完成，而且可能是高度政治性的。“我们应该出售点击统计数据吗?”)。

(e.g. "the site is operated by ACME Ltd., it uses anonymous per-session identifiers for its operation, collects user data only if explicitly permitted and only for the following purposes, the data is stored only as long as necessary, only our company has access to it, etc. etc.").

(如。“该网站由ACME有限公司运营，它使用匿名的每个会话标识符进行操作，只在明确允许的情况下收集用户数据，并且只有在必要的情况下才会存储数据，只有我们公司才能访问它，等等。”

(When editing with this tool, it's possible to view errors/omissions in the policy. Also very useful is the tab "HTML Policy": at the bottom, it has a "Policy Evaluation" - a quick check if the policy will be blocked by IE's default settings)

(使用此工具进行编辑时，可以在策略中查看错误/省略。另外，标签“HTML策略”也非常有用:在底部，它有一个“策略评估”——如果该策略被IE的默认设置阻止的话，可以快速检查一下。

The Editor exports to a .p3p file, which is an XML representation of the above policy. Also, it can export a "compact version" of this policy.

编辑器导出到.p3p文件，该文件是上述策略的XML表示。此外，它还可以导出该策略的“紧凑版本”。

Link to the policy

Then a Policy Reference file (http://example.com/w3c/p3p.xml) was needed (an index of privacy policies the site uses):

然后需要一个策略引用文件(http://example.com/w3c/p3p.xml)(该站点使用的隐私策略索引):

<META>
  <POLICY-REFERENCES>
    <POLICY-REF about="/w3c/example-com.p3p#policy1">
      <INCLUDE>/</INCLUDE>
      <COOKIE-INCLUDE/>
    </POLICY-REF>
  </POLICY-REFERENCES>
</META>

The <INCLUDE> shows all URIs that will use this policy (in my case, the whole site). The policy file I've exported from the Editor was uploaded to http://example.com/w3c/example-com.p3p

显示将使用此策略的所有uri(在我的例子中是整个站点)。我从编辑器导出的策略文件被上传到http://example.com/w3c/examplecom.p3p。

Send the compact header with responses

I've set the webserver at example.com to send the compact header with responses, like this:

我已经在example.com上设置了webserver来发送紧凑的标题和响应，如下所示:

HTTP/1.1 200 OK 
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR IVAi IVDi OUR TST"
// ... other headers and content

policyref is a relative URI to the Policy Reference file (which in turn references the privacy policies), CP is the compact policy representation. Note that the combination of P3P headers in the example may not be applicable on your specific website; your P3P headers MUST truthfully represent your own privacy policy!

policyref是策略引用文件的相对URI(反过来引用隐私策略)，CP是紧凑的策略表示。请注意，示例中P3P头的组合可能不适用于您的特定网站;你的P3P标题必须如实反映你的隐私政策!

Profit!

In this configuration, the Evil Eye does not appear, the cookies are saved even in the IFRAME, and the application works.

在这个配置中，邪恶的眼睛不会出现，即使在IFRAME中也会保存cookie，应用程序也会工作。

Edit: What NOT to do, unless you like defending from lawsuits

Several people have suggested "just slap some tags into your P3P header, until the Evil Eye gives up".

有几个人建议“只要在你的P3P头部打几个标签，直到邪恶的眼睛放弃”。

The tags are not only a bunch of bits, they have real world meanings, and their use gives you real world responsibilities!

这些标签不仅仅是一堆碎片，它们有真实的世界意义，它们的使用给了你真正的世界责任!

For example, pretending that you never collect user data might make the browser happy, but if you actually collect user data, the P3P is conflicting with reality. Plain and simple, you are purposefully lying to your users, and that might be criminal behavior in some countries. As in, "go to jail, do not collect $200".

例如，假装从不收集用户数据可能会让浏览器感到高兴，但如果你实际收集用户数据，P3P就会与现实相冲突。简单明了地说，你是故意向你的用户撒谎，这可能是一些国家的犯罪行为。如“进*，不收200美元”。

A few examples (see p3pwriter for the full set of tags):

一些例子(参见p3pwriter的完整标签集):

• NOI : "Web Site does not collected identified data." (as soon as there's any customization, a login, or any data collection (***** Analytics, anyone?), you must acknowledge it in your P3P)
• NOI:“网站没有收集已识别的数据。”(一旦有任何自定义、登录或任何数据收集(*****分析，任何人?)，您必须在您的P3P中承认它)。
• STP: Information is retained to meet the stated purpose. This requires information to be discarded at the earliest time possible. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site's human-readable privacy policy." (so if you send STP but don't have a retention policy, you may be committing fraud. How cool is that? Not at all.)
• STP:信息被保留以满足既定的目的。这就要求尽早丢弃信息。站点必须具有建立销毁时间表的保留策略。保留政策必须包含在网站的人类可读的隐私政策中。(因此，如果你发送STP但没有保留政策，你可能是在欺诈。这太酷了,不是吗?不是。)

I'm not a lawyer, but I'm not willing to go to court to see if the P3P header is really legally binding or if you can promise your users anything without actually willing to honor your promises.

我不是律师，但我不愿意去法院看P3P头是否真的具有法律约束力，或者你可以向你的用户承诺任何东西，而不愿意履行你的承诺。

160  

I've spend a large part of my day looking into this P3P thing and I feel the need to share what I've found out.

我花了很大一部分时间研究这个P3P的东西，我觉得有必要分享我发现的东西。

I've noticed that the P3P concept is very outdated and seems only to be really used/enforced by Internet Explorer (IE).

我注意到P3P的概念已经很过时了，而且似乎只被Internet Explorer (IE)所使用。

The simplest explanation is: IE wants you to define a P3P header if you are using cookies.

最简单的解释是:如果使用cookie，则需要定义P3P头。

This is a nice idea, and luckily most of the time not providing this header won't cause any issues (read browser warnings). Unless your website/web application is loaded into an other website using an (i)Frame. This is where IE becomes a massive pain in the ***. It will not allow you to set a cookie unless the P3P header is set.

这是一个好主意，而且幸运的是，大多数时候不提供这个消息头不会引起任何问题(阅读浏览器警告)。除非你的网站/网页应用程序被加载到另一个网站使用一个(i)框架。这就是IE成为巨大痛苦的地方。除非设置P3P头，否则它不会允许您设置cookie。

Knowing this I wanted to find an answer to the following two questions:

知道了这一点，我想找到以下两个问题的答案:

1. Who cares? In other words, can I be sued if I put the word "Potato" in the header?
2. 谁在乎呢?换句话说，如果我把“Potato”这个词放在标题里，我能被起诉吗?
3. What do other companies do?
4. 其他公司做什么?

My findings are:

我的发现:

1. No one cares. I'm unable to find a single document that suggests this technology has any legal weight. During my research I didn't find a single country around the world that has adopted a law that prevents you from putting the word "Potato" in the P3P header
2. 没有人在乎。我找不到一份文件表明这项技术有任何法律效力。在我的研究中，我没有发现世界上有一个国家通过了一项法律，禁止你在P3P标题中加入“Potato”这个词。
3. Both Google and Facebook put a link in their P3P header field referring to a page describing why they don't have a P3P header.
4. 谷歌和Facebook都在他们的P3P头字段中添加了一个链接，指向一个页面，该页面描述了为什么他们没有P3P标题。

The concept was born in 2002 and it baffles me that this outdated and legally unimplemented concept is still forced upon developers within IE. If this header doesn't have have any legal ramifications this header should be ignored (or alternatively, generate a warning or notification in the console). Not enforced! I'm now forced to put a line in my code (and send a header to the client) that does absolutely nothing.

这个概念诞生于2002年，让我感到困惑的是，这个过时的、合法的未实现的概念仍然被强加在IE的开发者身上。如果这个消息头没有任何法律分支，那么这个消息头应该被忽略(或者在控制台中生成一个警告或通知)。不执行!现在，我不得不在代码中添加一行(并向客户端发送一个消息头)，这样做什么都不做。

In short - to keep IE happy - add the following line to your PHP code (Other languages should look similar)

简而言之，让IE保持快乐——将以下代码添加到PHP代码中(其他语言应该看起来类似)

header('P3P: CP="Potato"');

Problem solved, and IE is happy with this potato.

问题解决了，IE对这个土豆很满意。

54  

I was able to make the evil eye go away by simply adding this small header to the site in the IFrame (PHP solution):

通过在IFrame (PHP解决方案)中添加这个小标题，我可以让邪恶的眼睛消失:

header('P3P: CP="NOI ADM DEV COM NAV OUR STP"');

Remember to press ctrl+F5 to reload your site or Explorer may still show the evil eye, despite the fact that it's working fine. This is probably the main reason why I had so many problems getting it to work.

记住按ctrl+F5重新加载你的站点或浏览器可能仍然显示邪恶的眼睛，尽管它运行良好。这可能是我有这么多问题要解决的主要原因。

No policy file was neccesary at all.

没有任何政策文件是必要的。

Edit: I found a nice blog entry that explains the problem with cookies in IFrames. It also has a quick fix in C# code: Frames, ASPX Pages and Rejected Cookies

编辑:我发现了一个很好的博客条目，它解释了iframe中cookie的问题。它还可以快速修复c#代码:框架、ASPX页面和拒绝cookie。

21  

This is buried in the comments of other answers, but I almost missed it, so it seems like it deserves its own answer.

这是在其他答案的评论中被埋没的，但我几乎错过了它，所以看起来它应该得到自己的答案。

To review: in order for IE to accept 3rd party cookies, you need serve your files with an http header called p3p in the format:

为了让IE能够接受第三方cookie，你需要使用一个名为p3p的http头文件来为你的文件服务:

CP="my compact p3p policy"

BUT, p3p is pretty much dead as a standard at this point and you can easily get IE to work without investing the time and legal resources in creating a real p3p policy. This is because if your compact p3p policy header is invalid, IE actually treats it as a good policy and accepts 3rd party cookies. So you can use a p3p header such as this

但是，p3p在这一点上已经是一个相当的标准了，你可以很容易地让IE工作，而不需要花费时间和法律资源来创建一个真正的p3p策略。这是因为如果您的紧凑p3p策略头无效(实际上将其视为一个好的策略并接受第三方cookie)。所以你可以使用p3p头，比如这个。

CP="This site does not have a p3p policy."

You can optionally include a link to a page that explains why you don't have a p3p policy, as Google and Facebook do (they point here: https://support.google.com/accounts/answer/151657 and here: https://www.facebook.com/help/327993273962160/).

您可以选择将一个链接添加到一个页面，该链接解释了为什么您没有p3p策略，如谷歌和Facebook所做的那样(它们指向这里:https://support.google.com/accounts/answer/151657和这里:https://www.facebook.com/help/327993273962160/)。

Finally, it's important to note that all files served from the 3rd party site need to have the p3p header, not just the one that sets the cookie, so you may not be able to just do this in your PHP, asp.net, etc code. You are probably better off setting in up on the web server level (i.e. in IIS or Apache).

最后，需要注意的是，来自第三方站点的所有文件都需要有p3p头，而不仅仅是设置cookie的文件头，所以您可能无法在PHP、asp.net等代码中这样做。您最好在web服务器级别(即IIS或Apache)上设置。

20  

I had this issue as well, thought I'd post the code that I used in my MVC2 project. Be careful when in the page life cycle you add in the header or you'll get an HttpException "Server cannot append header after HTTP headers have been sent." I used a custom ActionFilterAttribute on the OnActionExecuting method (called before the action is executed).

我也有这个问题，我认为我会发布我在MVC2项目中使用的代码。在页面生命周期中添加标题时要小心，否则会得到一个HttpException“服务器无法在发送HTTP报头后附加头”。我在onactionexecute方法上使用了自定义ActionFilterAttribute(在执行操作之前调用)。

/// <summary>
/// Privacy Preferences Project (P3P) serve a compact policy (a "p3p" HTTP header) for all requests
/// P3P provides a standard way for Web sites to communicate about their practices around the collection, 
/// use, and distribution of personal information. It's a machine-readable privacy policy that can be 
/// automatically fetched and viewed by users, and it can be tailored to fit your company's specific policies.
/// </summary>
/// <remarks>
/// More info http://www.oreillynet.com/lpt/a/1554
/// </remarks>
public class P3PAttribute : ActionFilterAttribute
{
    /// <summary>
    /// On Action Executing add a compact policy "p3p" HTTP header
    /// </summary>
    /// <param name="filterContext"></param>
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        HttpContext.Current.Response.AddHeader("p3p","CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");

        base.OnActionExecuting(filterContext);
    }
}

Example use:

使用示例:

[P3P]
public class HomeController : Controller
{
    public ActionResult Index()
    {
        ViewData["Message"] = "Welcome!";

        return View();
    }

    public ActionResult About()
    {
        return View();
    }
}

14  

This is a great topic on the issue, however I found that one important detail (which was essential at least in my case) that was not posted here or anywhere else (I apologize if I just missed it) was that the P3P line must be passed in header of EVERY file sent from the 3rd party server, even files not setting or using the cookies such as Javascript files or images. Otherwise the cookies will be blocked. I have more on this in a post here: http://posheika.net/?p=110

这是一个很好的话题,但是我发现一个重要的细节(至少对我而言)至关重要,没有张贴在这里或其他地方(我很抱歉如果我错过了)P3P行必须通过从第三方服务器发送的每个文件头,文件不设置或者使用cookie,如Javascript文件或图像。否则，cookie将被阻塞。我在这里有一个帖子:http://posheika.net/?

5  

Anyone having this problem in node.js.

在node.js中有这个问题的人。

Then add this p3p module, and enable this module at middleware.

然后添加这个p3p模块，并在中间件中启用这个模块。

npm install p3p

I am using express so I add it in app.js

我正在使用express，所以我将它添加到app.js中。

First require that module in app.js

首先需要在app.js中使用该模块。

var express = require('express');
var app = express();
var p3p = require('p3p');

then use it as middleware

然后使用它作为中间件。

app.use(p3p(p3p.recommended));

It will add p3p headers at res object. No need to do any extra things.

它将在res对象中添加p3p标题。不需要做任何额外的事情。

You will get more info at:

你会得到更多的信息:

https://github.com/troygoode/node-p3p

https://github.com/troygoode/node-p3p

5  

If anybody is looking for Apache line; we used this one.

如果有人在寻找阿帕奇线;我们使用这个。

Header set P3P "CP=\"Thanks IE8\""

报头设置P3P "CP=\"谢谢IE8\"

It really didn't matter what we set CP value to, as long as there is the P3P header.

我们将CP值设置为什么并不重要，只要有P3P头。

4  

One possible thing to do is to add the domain to allowed sites in tools -> internet options -> privacy -> sites: somedomain.com -> allow -> OK.

一种可能的做法是将域名添加到工具中允许的站点——>网络选项->隐私->站点:somedomain.com ->允许-> OK。

3  

This post provides some commentary on P3P and a short-cut solution that reduces the problems with IE7 and IE8.

这篇文章提供了一些关于P3P的评论和一个简化的解决方案，减少了IE7和IE8的问题。

3  

One solution that I haven't seen mentioned here, is using session storage instead of cookies. Of course this might not fit everyone's requirements, but for some cases it's an easy fix.

我在这里没有提到的一个解决方案是使用会话存储而不是cookie。当然，这可能不符合每个人的要求，但在某些情况下，这是一个容易解决的问题。

2  

Got similar problem, also went to investigate how to generate the P3P policy this morning, here is my post about how to generate your own policy and use in the web site :) http://everydayopenslikeaflower.blogspot.com/2009/08/how-to-create-p3p-policy-and-implement.html

也有类似的问题，今天早上还去研究如何生成P3P策略，下面是我的帖子，关于如何在网站上生成自己的策略和使用:)http://everydayopenslikeaflower.blogspot.com/2009/08/howto - createp3p -policy- implement.html。

2  

I've implemented a full P3P policy before but didn't want go through the hassle again for a new project I was working on. I found this link useful for a simple solution to the problem, only having to specify a minimal compact P3P policy of "CAO PSA OUR":

我之前已经实现了一个完整的P3P策略，但是我不想再为我正在开发的一个新项目再次经历麻烦。我发现这个链接对于一个简单的解决方案很有用，只需指定“CAO PSA OUR”的最小压缩P3P策略:

http://blog.sweetxml.org/2007/10/minimal-p3p-compact-policy-suggestion.html

http://blog.sweetxml.org/2007/10/minimal-p3p-compact-policy-suggestion.html

The article quotes a (now broken) link to a Microsoft kb article. The policy did the trick for me!

这篇文章引用了一个微软知识库文章的链接。这政策对我起了作用!

2  

I was investigating this problem with regard to login-off via Azure Access Control Services, and wasn't able to connect head and tails of anything.

我正在调查这个问题，通过Azure的访问控制服务，并不能连接任何东西的头和尾。

Then, stumbled over this post https://blogs.msdn.microsoft.com/ieinternals/2011/03/10/beware-cookie-sharing-in-cross-zone-scenarios/

然后，在这篇文章中，我无意中发现了https://blogs.msdn.microsoft.com/ieinternals/2011/03/10/beware-cookie-sharing-in-cross- in- interzone - os/。

In short, IE doesn't share cookies across zones (eg. Internet vs. Trusted sites).

简而言之，IE不会在不同的区域共享cookie(如:互联网与值得信赖的网站)。

So, if your IFrame target and html page are in different zone's P3P won't help with anything.

所以，如果你的IFrame目标和html页面在不同的区域，P3P将不会有任何帮助。

1  

You can also combine the p3p.xml and policy.xml files as such:

你也可以合并p3p。xml和政策。xml文件是这样的:

/home/ubuntu/sites/shared/w3c/p3p.xml

/home/ubuntu/sites/shared/w3c/p3p.xml

<META xmlns="http://www.w3.org/2002/01/P3Pv1">
  <POLICY-REFERENCES>
    <POLICY-REF about="#policy1">
      <INCLUDE>/</INCLUDE>
      <COOKIE-INCLUDE/>
    </POLICY-REF>
  </POLICY-REFERENCES>
  <POLICIES>
    <POLICY discuri="" name="policy1">
      <ENTITY>
        <DATA-GROUP>
          <DATA ref="#business.name"></DATA> 
          <DATA ref="#business.contact-info.online.email"></DATA> 
        </DATA-GROUP>
      </ENTITY>
      <ACCESS>
        <nonident/>
      </ACCESS>
      <!-- if the site has a dispute resolution procedure that it follows, a DISPUTES-GROUP should be included here -->
      <STATEMENT>
        <PURPOSE>
          <current/>
          <admin/>
          <develop/>
        </PURPOSE>
        <RECIPIENT>
          <ours/>
        </RECIPIENT>
        <RETENTION>
          <indefinitely/>
        </RETENTION>
        <DATA-GROUP>
          <DATA ref="#dynamic.clickstream"/>
          <DATA ref="#dynamic.http"/>
        </DATA-GROUP>
      </STATEMENT>
    </POLICY>
  </POLICIES>
</META>

I found the easiest way to add a header is proxy through Apache and use mod_headers, as such:

我发现最简单的添加标题的方法是通过Apache进行代理，并使用mod_headers，如下所示:

<VirtualHost *:80>
  ServerName mydomain.com

  DocumentRoot /home/ubuntu/sites/shared/w3c/

  ProxyRequests off
  ProxyPass /w3c/ !
  ProxyPass / http://127.0.0.1:8080/
  ProxyPassReverse / http://127.0.0.1:8080/
  ProxyPreserveHost on

  Header add p3p 'P3P:policyref="/w3c/p3p.xml", CP="NID DSP ALL COR"'
</VirtualHost>

So we proxy all requests except those to /w3c/p3p.xml to our application server.

所以我们代理所有请求，除了那些/w3c/p3p。xml到我们的应用服务器。

You can test it all with the W3C validator

您可以使用W3C验证器来测试它。

1  

If you own the domain that needs to be embedded, then you could, before calling the page that includes the IFrame, redirect to that domain, which will create the cookie and redirect back, as explained here: http://www.mendoweb.be/blog/internet-explorer-safari-third-party-cookie-problem/

如果您拥有需要嵌入的域，那么您可以在调用包含IFrame的页面之前，将其重定向到该域，该域将创建cookie并重定向返回，如此处所述:http://www.mfuneb.be/blog/internet - explorersafari-_-第三方-cookie-问题/。

This will work for Internet Explorer but for Safari as well (because Safari also blocks the third-party cookies).

这将为Internet Explorer工作，但也适用于Safari(因为Safari也会阻止第三方cookie)。

1  

I know it's a bit late to put my contribution on this subject but I lost so many hours that maybe this answer will help somebody.

我知道我在这个问题上的贡献有点晚了，但是我失去了太多的时间，也许这个答案会帮助一些人。

I was trying to call a third party cookie on my site and of course it was not working on Internet Explorer 10, even at a low security level... don't ask me why. In the iframe I was calling a read_cookie.php (echo $_COOKIE) with ajax.

我试着在我的网站上调用第三方cookie，当然它并没有在Internet Explorer 10上工作，即使在一个低安全级别……不要问我为什么。在iframe中，我调用了一个read_cookie。php (echo $_COOKIE)和ajax。

And I don't know why I was incapable of setting the P3P policy to solve the problem...

我不知道为什么我不能制定P3P政策来解决这个问题……

During my search I saw something about getting the cookie in JSON working. I don't even try because I thought that if the cookie won't pass through an iframe, it will not pass any more through an array...

在我的搜索过程中，我看到了JSON工作中的cookie。我甚至不尝试，因为我认为如果cookie不能通过iframe，它就不会通过数组传递更多信息……

Guess what, it does! So if you json_encode your cookie then decode after your ajax request, you'll get it!

猜猜看,它!因此，如果您json_encode您的cookie，然后解码您的ajax请求，您将得到它!

Maybe there is something I missed and if I did, all my apologies, but i never saw something so stupid. Block third party cookies for security, why not, but let it pass if encoded? Where is the security now?

也许我错过了什么，如果我做了，所有的道歉，但我从来没见过这么愚蠢的事情。为安全设置第三方cookie，为什么不，但是如果编码了，让它通过?保安现在在哪里?

I hope this post will help somebody and again, if I missed something and I'm dumb, please educate me!

我希望这篇文章能帮助别人，如果我错过了什么，我很笨，请教育我!

1  

This finally worked for me (after a lot of hastle and generating some policies using IBMs policy generator). You can downlod the policy generator here: http://www.softpedia.com/get/Security/Security-Related/P3P-Policy-Editor.shtml

这最终对我起了作用(在使用IBMs策略生成器进行了大量的hastle和生成一些策略之后)。您可以在这里下载策略生成器:http://www.softpedia.com/get/security/securityrelated/p3p - policy editor .shtml。

I was not able to download the generator from the official IBM website any more.

我再也无法从官方的IBM网站上下载发电机了。

I created these files in the root folder of my Web-App

我在我的web应用程序的根文件夹中创建了这些文件。

/index.php
/w3c/policy.html (Human readable format)
/w3c/p3p.xml
/w3c/policy.p3p

1. Index.php: Just send an additional header:
2. 索引。php:只需发送一个额外的标题:

header('P3P: policyref="/w3c/p3p.xml", CP="ALL DSP NID CURa ADMa DEVa HISa OTPa OUR NOR NAV DEM"');

2. Content of p3p.xml
3. p3p.xml内容

<META>
    <POLICY-REFERENCES>
        <POLICY-REF about="/w3c/policy.p3p#App">
            <INCLUDE>/</INCLUDE>
            <COOKIE-INCLUDE/>
        </POLICY-REF>
    </POLICY-REFERENCES>
</META>

3. Content of my policy.html file
4. 我的政策的内容。html文件

<html>
<head>
<STYLE type="text/css">
title { color: #3333FF}
</STYLE>
<title>Privacy Statement for YOUR COMPANY NAME</title>
</head>
<body>
<h1 class="title">Privacy Policy</h1>
<!-- "About Us" section of privacy policy -->
<h2>About Us</h2>
<p>This is a privacy policy for YOUR COMPANY NAME.
Our homepage on the Web is located at <a href="YOURWEBSITE">
YOURWEBSITE</a>.
The full text of our privacy policy is available on the Web at 
<a href="ABSOLUTE URL OF THIS FILE">
ABSOLUTE URL OF THIS FILE</a>
This policy does not tell users where they can go to exercise their opt-in or opt-out options.
<p>We invite you to contact us if you have questions about this policy.
You may contact us by mail at the following address:
<pre>FIRSTNAME LASTNAME
YOUR ADDRESS HERE
</pre>
<p>You may contact us by e-mail at 
<a href="mailto:info@YOURMAIL.de">
info@YOURMAIL.eu</a>. 
You may call us at TELEPHONENUMBER.
<!-- "Privacy Seals" section of privacy policy -->
<h2>Dispute Resolution and Privacy Seals</h2>
<p>We have the following privacy seals and/or dispute resolution mechanisms.
If you think we have not followed our privacy policy in some way, they can help you resolve your concern.
<ul>
<li>
<b>Dispute</b>:
Contact us for further information
</ul>
<!-- "Additional information" section of privacy policy -->
<h2>Additional Information</h2>
<p>
This policy is valid for 1 day from the time that it is loaded by a client.
</p>
<!-- "Data Collection" section of privacy policy -->
<h2>Data Collection</h2>
<p>P3P policies declare the data they collect in groups (also referred to as "statements").
This policy contains 1 data group.
<hr width="50%" align="center">
<h3>Group "App control data"</h3>
<p>We collect the following information:
<ul>
<li>HTTP cookies</li>
</ul>
<p>This data will be used for the following purposes:</p>
<ul>
<li>Completion and support of the current activity.</li>
<li>Web site and system administration.</li>
<li>Research and development.</li>
<li>Historical preservation.</li>
<li>Other purposes<p>Control Flow of the application</p></li>
</ul>
<p>This data will be used by ourselves and our agents.
<p>The data in this group has been marked as non-identifiable. This means that there is no
reasonable way for the site to identify the individual person this data was collected from.
<p>The following explanation is provided for why this data is collected:</p>
<blockquote>This cookie data is only used to control the application within an iframe (e.g. a Facebook App)</blockquote>
<!-- "Use of Cookies" section of privacy policy -->
<hr width="50%" align="center">
<h2>Cookies</h2>
<p>Cookies are a technology which can be used to provide you with tailored information from a Web site. A cookie is an element of data that a Web site can send to your browser, which may then store it on your system. You can set your browser to notify you when you receive a cookie, giving you the chance to decide whether to accept it.
<p>Our site makes use of cookies.
Cookies are used for the following purposes:
<ul>
<li>Site administration
<li>Completing the user's current activity
<li>Research and development
<li>Other
(Control Flow of the application)
</ul>
<!-- "Compact Policy Explanation" section of privacy policy -->
<hr width="50%" align="center">
<h2>Compact Policy Summary</h2>
<p>The compact policy which corresponds to this policy is:
<pre>
    CP="ALL DSP NID CURa ADMa DEVa HISa OTPa OUR NOR NAV"
</pre>
<p>The following table explains the meaning of each field in the compact policy.
<center><table width="80%" border="1" cols="2">
<tr><td align="center" valign="top" width="20%"><b>Field</b></td><td align="center" valign="top" width="80%"><b>Meaning</b></td></tr>
<tr><td align="left" valign="top" width="20%"><tt>CP=</tt></td>
<td align="left" valign="top" width="80%">This is the compact policy header; it indicates that what follows is a P3P compact policy.</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>ALL</tt></td>
<td align="left" valign="top" width="80%">
Access to all collected information is available.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>DSP</tt></td>
<td align="left" valign="top" width="80%">
The policy contains at least one dispute-resolution mechanism.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>NID</tt></td>
<td align="left" valign="top" width="80%">
The information collected is not personally identifiable.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>CURa</tt></td>
<td align="left" valign="top" width="80%">
The data is used for completion of the current activity.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>ADMa</tt></td>
<td align="left" valign="top" width="80%">
The data is used for site administration.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>DEVa</tt></td>
<td align="left" valign="top" width="80%">
The data is used for research and development.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>HISa</tt></td>
<td align="left" valign="top" width="80%">
The data is used for historical archival purposes.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>OTPa</tt></td>
<td align="left" valign="top" width="80%">
The data is used for other purposes.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>OUR</tt></td>
<td align="left" valign="top" width="80%">
The data is given to ourselves and our agents.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>NOR</tt></td>
<td align="left" valign="top" width="80%">
The data is not kept beyond the current transaction.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>NAV</tt></td>
<td align="left" valign="top" width="80%">
Navigation and clickstream data is collected.
</td></tr>
</table></center>
<p>The compact policy is sent by the Web server along with the cookies it describes.
For more information, see the P3P deployment guide at <a href="http://www.w3.org/TR/p3pdeployment">http://www.w3.org/TR/p3pdeployment</a>.
<!-- "Policy Evaluation" section of privacy policy -->
<hr width="50%" align="center">
<h2>Policy Evaluation</h2>
<p>Microsoft Internet Explorer 6 will evaluate this policy's compact policy whenever it is used with a cookie.
The actions IE will take depend on what privacy level the user has selected in their browser (Low, Medium, Medium High, or High; the default is Medium.
In addition, IE will examine whether the cookie's policy is considered satisfactory or unsatisfactory, whether the cookie is a session cookie or a persistent cookie, and whether the cookie is used in a first-party or third-party context.
This section will attempt to evaluate this policy's compact policy against Microsoft's stated behavior for IE6.
<p><b>Note:</b> this evaluation is currently experimental and should not be considered a substitute for testing with a real Web browser.
<p><b>Satisfactory policy</b>: this compact policy is considered <em>satisfactory</em> according to the rules defined by Internet Explorer 6.
IE6 will accept cookies accompanied by this policy under the High, Medium High, Medium, Low, and Accept All Cookies settings.
</body></html>

4. Content of policy.p3p
5. policy.p3p内容

<?xml version="1.0"?>
<POLICIES xmlns="http://www.w3.org/2002/01/P3Pv1">
    <!-- Generated by IBM P3P Policy Editor version Beta 1.12 built 2/27/04 1:19 PM -->

    <!-- Expiry information for this policy -->
    <EXPIRY max-age="86400"/>

<POLICY
    name="App"
    discuri="ABSOLUTE URL TO policy.html"
    xml:lang="de">
    <!-- Description of the entity making this policy statement. -->
    <ENTITY>
    <DATA-GROUP>
<DATA ref="#business.name">COMPANY NAME</DATA>
<DATA ref="#business.contact-info.online.email">info@YOURMAIL.eu</DATA>
<DATA ref="#business.contact-info.online.uri">YOURWEBSITE</DATA>
<DATA ref="#business.contact-info.telecom.telephone.number">YOURPHONENUMBER</DATA>
<DATA ref="#business.contact-info.postal.organization">FIRSTNAME LASTNAME</DATA>
<DATA ref="#business.contact-info.postal.street">STREET</DATA>
<DATA ref="#business.contact-info.postal.city">CITY</DATA>
<DATA ref="#business.contact-info.postal.stateprov">STAGE</DATA>
<DATA ref="#business.contact-info.postal.postalcode">POSTALCODE</DATA>
<DATA ref="#business.contact-info.postal.country">Germany</DATA>
    </DATA-GROUP>
    </ENTITY>

    <!-- Disclosure -->
    <ACCESS><all/></ACCESS>


    <!-- Disputes -->
    <DISPUTES-GROUP>
        <DISPUTES resolution-type="service" service="YOURWEBSITE CONTACT FORM" short-description="Dispute">
            <LONG-DESCRIPTION>Contact us for further information</LONG-DESCRIPTION>
    <!-- No remedies specified -->
        </DISPUTES>
    </DISPUTES-GROUP>

    <!-- Statement for group "App control data" -->
    <STATEMENT>
        <EXTENSION optional="yes">
            <GROUP-INFO xmlns="http://www.software.ibm.com/P3P/editor/extension-1.0.html" name="App control data"/>
        </EXTENSION>

    <!-- Consequence -->
    <CONSEQUENCE>
This cookie data is only used to control the application within an iframe (e.g. a Facebook App)</CONSEQUENCE>

    <!-- Data in this statement is marked as being non-identifiable -->
    <NON-IDENTIFIABLE/>

    <!-- Use (purpose) -->
    <PURPOSE><admin/><current/><develop/><historical/><other-purpose>Control Flow of the application</other-purpose></PURPOSE>

    <!-- Recipients -->
    <RECIPIENT><ours/></RECIPIENT>

    <!-- Retention -->
    <RETENTION><no-retention/></RETENTION>

    <!-- Base dataschema elements. -->
    <DATA-GROUP>
    <DATA ref="#dynamic.cookies"><CATEGORIES><navigation/></CATEGORIES></DATA>
    </DATA-GROUP>
</STATEMENT>

<!-- End of policy -->
</POLICY>
</POLICIES>

0  

In Rails I am using this gem : https://github.com/merchii/rack-iframe Bawically it sets a set of abbreviations without a reference file: https://github.com/merchii/rack-iframe/blob/master/lib/rack/iframe.rb#L8

在Rails中，我使用了这个gem: https://github.com/merchii/rack-iframe，它设置了一组没有引用文件的缩写:https://github.com/merchii/rack-iframe/blob/master/lib/rack/iframe.rb#L8。

It is easy to install when you dont care at all about the meaning of the p3p stuff.

当您根本不关心p3p的含义时，很容易安装。

0  

For anyone trying to get the P3P Compact Policy working with static content:

It is only possible if you are able to send custom server-side response headers with the static content.

只有当您能够使用静态内容发送自定义服务器端响应头时，才有可能。

For a more detailed explanation see my answer here: Set P3P code in HTML

对于更详细的解释，请参见我的答案:在HTML中设置P3P代码。

0  

In Rails 3.2 I am using:

在Rails 3.2中，我使用:

class ApplicationController < ActionController::Base  

  before_filter :set_p3p  

  private  
    # for IE session cookies thru iframe  
    def set_p3p  
      headers['P3P'] = 'CP="ALL DSP COR CURa ADMa DEVa OUR IND COM NAV"'  
    end  
end  

I got this from: http://dot-net-web-developer-bristol.blogspot.com/2012/04/setting-p3p-header-in-rails-session.html

我从http://dot-net-web-developer- bristol.blogspot.com/2012/04/settingp3p -header-in-rails-session.html中获得了这一信息。

-1  

A better solution would be to make an Ajax call inside the iframe to the page that would get/set cookies...

一个更好的解决方案是在iframe中调用一个Ajax调用来获取/设置cookie…