摘要:如何利用實現(xiàn)跨域在開發(fā)中��,我們碰到的跨域主要還是糾結(jié)在���,頁面中的或者或者跨域的時候���,有安全策略限制頁面不帶,但是如果我們加上��,就沒有這策略的限制。這也是來突破跨域的可行前提���。從上面例子可以看出通過發(fā)送頭信息而實現(xiàn)的跨域����。
P3P是什么
P3P
Platform for Privacy Preferences, 是W3C公布的一項隱私保護(hù)推薦標(biāo)準(zhǔn)���,以為用戶提供隱私保護(hù)�。
P3P標(biāo)準(zhǔn)的構(gòu)想是:Web 站點的隱私策略應(yīng)該告之訪問者該站點所收集的信息類型�、信息將提供給哪些人、信息將被保留多少時間及其使用信息的方式�,如站點應(yīng)做諸如 “本網(wǎng)站將監(jiān)測您所訪問的頁面以提高站點的使用率”或“本網(wǎng)站將盡可能為您提供更合適的廣告”等申明。訪問支持P3P網(wǎng)站的用戶有權(quán)查看站點隱私報告���,然后決定是否接受cookie 或是否使用該網(wǎng)站����。
如何利用P3P實現(xiàn)跨域
在開發(fā)中�,我們碰到的跨域主要還是糾結(jié)在IE,頁面中的IFRAME或者FRAME或者JS跨域的時候��,IE有安全策略限制頁面不帶cookie�����,但是如果我們加上P3P,就沒有這策略的限制���。這也是P3P來突破跨域的可行前提。
例子:
vist:
http://www.first.com/vist.html
Title
http://www.second.com/p3p.php
http://www.second.com/getp3p.php
通過瀏覽器訪問:
http://www.first.com/vist.html
http://www.second.com/getp3p.php
我們發(fā)現(xiàn)訪問first.com/vist.html后�,我們并沒有在second.com域發(fā)現(xiàn)設(shè)置上cookie值。
http://www.second.com/p3p.php 增加P3P頭部信息:
再次通過瀏覽器訪問:
http://www.first.com/vist.html
http://www.second.com/getp3p.php
在訪問second.com域后���,設(shè)置了first.com域的cookie值���。
從上面例子可以看出通過發(fā)送P3P頭信息而實現(xiàn)的跨域。(在Firefox不發(fā)送P3P也能跨域成功)
PHP使用P3P協(xié)議
header("P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"");
JS使用P3P協(xié)議
xmlhttp.setRequestHeader("P3P" ,"CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"");
P3P的頭部參數(shù)解釋
P3P Header is present:
CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Compact Policy token is present. A trailing "o" means opt-out, a trailing "i" means opt-in.
CURa
Information is used to complete the activity for which it was provided.
ADMa
Information may be used for the technical support of the Web site and its computer system.
DEVa
Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market.
PSAo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals.
PSDo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals.
OUR
We share information with ourselves and/or entities acting as our agents or entities for whom we are acting as an agent.
BUS
Info is retained under a service provider"s stated business practices. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site"s human-readable privacy policy.
UNI
Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service.
PUR
Information actively generated by the purchase of a product or service, including information about the method of payment.
INT
Data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity.
DEM
Data about an individual"s characteristics -- such as gender, age, and income.
STA
Mechanisms for maintaining a stateful session with a user or automatically recognizing users who have visited a particular site or accessed particular content previously -- such as HTTP cookies.
PRE
Data about an individual"s likes and dislikes -- such as favorite color or musical tastes.
COM
Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.
NAV
Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.
OTC
Other types of data not captured by the above definitions.
NOI
Web Site does not collected identified data.
DSP
The privacy policy contains DISPUTES elements.
COR
Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.
這里說的跨域主要是設(shè)置cookie的情況�,如果是跨域讀取cookie,要保證在對應(yīng)設(shè)置cookie的時候設(shè)置了P3P�,否則在讀取的事情IE會屏蔽跨域cookie。
文章版權(quán)歸作者所有��,未經(jīng)允許請勿轉(zhuǎn)載,若此文章存在違規(guī)行為���,您可以聯(lián)系管理員刪除��。
轉(zhuǎn)載請注明本文地址:http://systransis.cn/yun/26069.html
