利用 P3P 策略实现 http 跨域

发布于 2021-08-20 13:07:42 字数 5420 浏览 1401 评论 0

有别于 JS 跨域、IFRAME 跨域等的常用处理办法,还可以利用P3P来实现跨域。

P3P 是什么

P3P(Platform for Privacy Preferences)是 W3C 公布的一项隐私保护推荐标准,以为用户提供隐私保护。

P3P标准的构想是:Web 站点的隐私策略应该告之访问者该站点所收集的信息类型、信息将提供给哪些人、信息将被保留多少时间及其使用信息的方式,如站点应做诸如 “本网站将监测您所访问的页面以提高站点的使用率”或“本网站将尽可能为您提供更合适的广告”等申明。访问支持 P3P 网站的用户有权查看站点隐私报告,然后决定 是否接受cookie 或是否使用该网站。

如何利用 P3P 实现跨域

在开发中,我们碰到的跨域主要还是纠结在 IE,页面中的 IFRAME 或者 FRAME 或者 JS 跨域的时候,IE有安全策略限制页面不带 Cookie,但是如果我们加上 P3P,就没有这策略的限制。这也是 P3P 来突破跨域的可行前提。

以下为摘录的例子:

http://www.a.com/a_setcookie.php 文件内容:

setcookie("test", $_GET['id'], time()+3600, "/", ".a.com");

http://www.a.com/a_getcookie.php 文件内容:

var_dump($_COOKIE);

http://www.b.com/b_setcookie.php 文件内容:

<script src="http://www.a.com/a_setcookie.php?id=www.b.com"></script>

通过浏览器访问:

http://www.b.com/b_setcookie.php
http://www.a.com/a_getcookie.php

访问 b.com 域后,我们并没有在 a.com 域发现设置上 Cookie 值。

将 http://www.a.com/a_setcookie.php 文件内容改为如下:

header('P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"');
setcookie("test", $_GET['id'], time()+3600, "/", ".a.com");

再次访问:

http://www.b.com/b_setcookie.php
http://www.a.com/a_getcookie.php

在访问 b.com 域后,设置了 a.com 域的 Cookie 值。

从上面例子可以看出通过发送 P3P 头信息而实现的跨域。(在 Firefox 不发送 P3P 也能跨域成功)

PHP 使用 P3P 协议

header( 'P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"' );

JS 使用 P3P 协议

xmlhttp.setRequestHeader( "P3P" , 'CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"' );

P3P 的头部参数解释

P3P Header is present
CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Compact Policy token is present. A trailing 'o' means opt-out, a trailing 'i' means opt-in.

CURa
Information is used to complete the activity for which it was provided.

ADMa
Information may be used for the technical support of the Web site and its computer system.

DEVa
Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market.

PSAo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals.

PSDo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals.

OUR
We share information with ourselves and/or entities acting as our agents or entities for whom we are acting as an agent.

BUS
Info is retained under a service provider's stated business practices. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site's human-readable privacy policy.

UNI
Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service.

PUR
Information actively generated by the purchase of a product or service, including information about the method of payment.

INT
Data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity.

DEM
Data about an individual's characteristics -- such as gender, age, and income.

STA
Mechanisms for maintaining a stateful session with a user or automatically recognizing users who have visited a particular site or accessed particular content previously -- such as HTTP cookies.

PRE
Data about an individual's likes and dislikes -- such as favorite color or musical tastes.

COM
Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.

NAV
Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.

OTC
Other types of data not captured by the above definitions.

NOI
Web Site does not collected identified data.

DSP
The privacy policy contains DISPUTES elements.

COR
Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.

PS:这里说的跨域主要是设置 Cookie 的情况,如果是跨域读取 Cookie,要保证在对应设置 Cookie 的时候设置了 P3P,否则在读取的事情 IE 会屏蔽跨域 Cookie。

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

关于作者

JSmiles

生命进入颠沛而奔忙的本质状态,并将以不断告别和相遇的陈旧方式继续下去。

0 文章
0 评论
84961 人气
更多

推荐作者

醉城メ夜风

文章 0 评论 0

远昼

文章 0 评论 0

平生欢

文章 0 评论 0

微凉

文章 0 评论 0

Honwey

文章 0 评论 0

qq_ikhFfg

文章 0 评论 0

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文