Web安全之P3P

P3P 全称是 The Platform for Privacy Preferences,控制用户在在浏览网页时,如果网页中包含第三方站点资源,是否接受第三方站点设置的 cookie。

举个例子:

user 访问 www.main.com, 该站点加载了第三方网站 www.third.com 的网页(通过iframe)或者静态资源(css, js, img),是否接受 www.third.com 设置的 cookie。

默认情况下不允许保存第三方 cookie,假如第三方站点在 header 中设置了 P3P 相关信息,则可能允许跨域访问隐私数据

IE 浏览器隐私设置:

IE 浏览器第三方 cookie 策略

Chrome 浏览器隐私设置:

Chrome 浏览器第三方 cookie 策略

配合这两幅截图说明第三方 cookie 在 IE、Chrome 中是否有效。两幅截图显示 IE 阻止第三方 cookie,Chrome 接受第三方 cookie。

代码示例:

www.main.com setcookie

// file http://www.main.com/setcookie.php
<script src="http://www.main.com/setcookie.php"></script>
<!-- <iframe src="http://www.main.com/setcookie.php"></iframe> -->

www.third.com setcookie

// header('P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"');
setcookie('p3p_cookie_key', 'time_' . time(), time() + 60, '/', '.third.com');

www.third.com getcookie

// file http://www.third.com/getcookie.php
echo 'p3p_cookie_key:' . $_COOKIE['p3p_cookie_key'];

访问 http://www.main.com/setcookie.php,网页会通过 iframe 或者 script 访问 http://www.third.com/setcookie.php, 此时浏览器不一定接受来自 www.third.com 的 cookie。也就是立即访问 http://www.third.com/getcookie.php,可能获取不到 cookie 信息。

当 www.third.com setcookie.php 输出 P3P 头信息时:

  1. 访问 http://www.main.com/setcookie.php
  2. 访问 http://www.third.com/getcookie.php 可以获取到 cookie p3p_cookie_key

网页上所有资源浏览器都可以访问,但出于安全考虑,浏览器对此进行了限制,产生一些安全词汇。

P3P Header is present [引用]

CP=”CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR”
Compact Policy token is present. A trailing ‘o’ means opt-out, a trailing ‘i’ means opt-in.
CURa Information is used to complete the activity for which it was provided.
ADMa Information may be used for the technical support of the Web site and its computer system.
DEVa Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market.
PSAo Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals.
PSDo Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals.
OUR We share information with ourselves and/or entities acting as our agents or entities for whom we are acting as an agent.
BUS Info is retained under a service provider’s stated business practices. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site’s human-readable privacy policy.
UNI Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service.
PUR Information actively generated by the purchase of a product or service, including information about the method of payment.
INT Data actively generated from or reflecting explicit interactions with a service provider through its site — such as queries to a search engine, or logs of account activity.
DEM Data about an individual’s characteristics — such as gender, age, and income.
STA Mechanisms for maintaining a stateful session with a user or automatically recognizing users who have visited a particular site or accessed particular content previously — such as HTTP cookies.
PRE Data about an individual’s likes and dislikes — such as favorite color or musical tastes.
COM Information about the computer system that the individual is using to access the network — such as the IP number, domain name, browser type or operating system.
NAV Data passively generated by browsing the Web site — such as which pages are visited, and how long users stay on each page.
OTC Other types of data not captured by the above definitions.
NOI Web Site does not collected identified data.
DSP The privacy policy contains DISPUTES elements.
COR Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.

作者: 袖之欢

科技改变生活,编程改变世界。

发表评论

电子邮件地址不会被公开。 必填项已用*标注