Home > Article > Backend Development > How PHP uses P3P to achieve cross-domain_PHP tutorial
How PHP uses P3P to achieve cross-domain_PHP tutorial
- WBOYOriginal
- 2016-07-21 14:58:57896browse
Different from common processing methods such as JS cross-domain, IFRAME cross-domain, etc., P3P can also be used to achieve cross-domain.
What is P3P
P3P (Platform for Privacy Preferences) is a privacy protection recommendation standard published by W3C to provide privacy protection for users.
The idea behind the P3P standard is that the privacy policy of a Web site should inform visitors about the type of information collected by the site, who the information will be provided to, how long the information will be retained, and how it will use the information. For example, the site should Make statements such as "This website will monitor the pages you visit to improve site usage" or "This website will try its best to provide you with more appropriate advertisements." Users visiting a P3P-enabled website have the right to view the site privacy report and decide whether to accept cookies or use the website.
How to use P3P to achieve cross-domain
During development, the cross-domain problems we encounter are mainly related to IE, IFRAME or FRAME or JS cross-domain in the page At that time, IE had a security policy that restricted pages without cookies, but if we add P3P, there would be no restriction from this policy. This is also a feasible premise for P3P to break through cross-domain.
The following is an example of an excerpt:
http://www.a.com/a_setcookie.php File content:
http://www.a.com/a_getcookie.php file content :
http://www.b.com/b_setcookie.php File content:
Access via browser:
1?> http://www.b.com/b_setcookie.php
2?> http://www. a.com/a_getcookie.php
After visiting the 1 b.com domain, we did not find the cookie value set in the 2 a.com domain.
Change the content of the http://www.a.com/a_setcookie.php file to the following:
header('P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"');
setcookie("test ", $_GET['id'], time()+3600, "/", ".a.com");
?>
Visit again:
http://www.b.com/b_setcookie.php
http://www.a.com/a_getcookie.php
After accessing the b.com domain, a.com is set The cookie value for the domain.
From the above example, we can see the cross-domain achieved by sending P3P header information. (Cross-domain can be successful in Firefox without sending P3P)
PHP uses the P3P protocol
header( 'P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"' );
JS uses the P3P protocol
xmlhttp.setRequestHeader( "P3P" , 'CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"' );
P3P header parameter explanation
Quote:
P3P Header is present:
CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Compact Policy token is present. A trailing 'o' means opt-out, a trailing 'i' means opt-in.
CURa
Information is used to complete the activity for which it was provided.
ADMa
Information may be used for the technical support of the Web site and its computer system.
DEVa
Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market.
PSAo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals.
PSDo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals.
OUR
We share information with ourselves and/or entities acting as our agents or entities for whom we are acting as an agent.
BUS
Info is retained under a service provider's stated business practices. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site's human-readable privacy policy.
UNI
Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service.
PUR
Information actively generated by the purchase of a product or service, including information about the method of payment.
INT
Data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity.
DEM
Data about an individual's characteristics -- such as gender, age, and income.
STA
Mechanisms for maintaining a stateful session with a user or automatically recognizing users who have visited a particular site or accessed particular content previously -- such as HTTP cookies.
PRE
Data about an individual's likes and dislikes -- such as favorite color or musical tastes.
COM
Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.
NAV
Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.
OTC
Other types of data not captured by the above definitions.
NOI
Web Site does not collected identified data.
DSP
The privacy policy contains DISPUTES elements.
COR
Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.
PS,这里说的跨域主要是设置cookie的情况,如果是跨域读取cookie,要保证在对应设置cookie的时候设置了P3P,否则在读取的事情IE会屏蔽跨域cookie。