Share via


.NET Passport and P3P (VBScript)

.NET Passport and P3P

Among the features enabled by Microsoft® Internet Explorer 6 is support for Platform for Privacy Preferences (P3P) standards. These standards enable browser users to review privacy policies submitted by Web sites through a common set of controls that are integrated into the browser. For example, Internet Explorer 6 includes features that allow users to set privacy requirements to a certain baseline and then accept or refuse actions a site may take, such as writing cookies, based on the site's privacy statement.

This topic provides information about how the new P3P standard affects your implementation of Microsoft® .NET Passport. For more information about Internet Explorer and P3P, see How to Deploy P3P Privacy Policies on Your Web Site on MSDN.

Why is P3P a Requirement?

Microsoft's commitment to privacy includes the support of accepted industry standards. The World Wide Web Consortium (W3C) P3P project is the first step in the industry towards ensuring that end users understand how the information they give to Web sites and services will be used.

Building a Web experience in which the end user has confidence is important both to Microsoft and to the industry as a whole. For these reasons, Microsoft has required that all of its own Web properties maintain accurate P3P XML information and, where the site or service uses cookies, a Compact Policy. In order to help maintain the end user's confidence in the use of .NET Passport at participating sites, Microsoft further requires that sites using .NET Passport also adhere to these industry standards.

Internet Explorer 6

Internet Explorer 6 requires mini-headers that refer to an actual P3P XML policy document produced and maintained by your site, and will restrict or allow access to cookies based on user preferences tied to this mini-header. Your site should also maintain a human-readable P3P privacy statement that matches the XML version of the policy. This discussion of P3P and Internet Explorer 6 is relevant mainly to the default settings in Internet Explorer 6 (the Medium setting for the specific privacy controls, the default settings for Internet zone security, and others). Some aspects of how P3P is used in Internet Explorer 6 can also be controlled by user preferences.

How Does P3P Affect .NET Passport and My Site?

Restrictions on cookies based on P3P policies apply only to third-party access to cookies through Internet Explorer 6. Third-party access is defined as a case in which a site includes a link, image, or other element from a third-party site, and in which that third-party element takes any action that sets or reads a cookie. The most important point to note concerning P3P and .NET Passport is that if a participating site does not include P3P compact policies when cookies are handled, a user who signs in persistently is unable to sign out. This is because the .NET Passport sign-out page is hosted on the .NET Passport Web site and calls the cookie-delete scripts hosted by the participating sites to which the user has signed in. These scripts delete the .NET Passport cookies by setting their value to null and their expiration date to a date in the past. The writing of these cookies is considered to be third-party and will be restricted unless the cookie-delete scripts contain valid P3P headers. For more information about cookie-delete scripts, see Implementing Sign-Out and Deleting Cookies.

Adding the P3P Header in ASP

In the Internet Explorer 6 implementation, P3P information is enclosed in a defined compact policy header (also known as a "mini-header") titled "P3P". This header is composed of one or more three-letter tokens representing the statements made in the site's complete XML P3P privacy statement. The mini-header should be included in any response in which a Set-Cookie directive is included in a page, and the cookie being set is intended to be accessed through a third-party mechanism. After the cookie has been set by Internet Explorer 6, the cookie itself will contain the P3P information.

Sites that set cookies with potential third-party uses, or that set cookies in a response that will be accessed as a third-party page, should write the following mini-header into each response that sets such cookies in an Internet Explorer 6 browser. (The token TST should be replaced with the tokens that make up your site's actual P3P mini-header.)

P3P: CP="TST"

The CP value string in the mini-header must be enclosed in double quotes in the actual header as shown. The header can be added to an Active Server Page (ASP) using Microsoft® Visual Basic® Scripting Edition (VBScript) with the following code. It should be placed in the ASP page before any of the body of the response is written.

Response.AddHeader "P3P","CP=""TST"""

Reading Third-Party Cookies

If your site sets any cookies that are intended to be viewed by a third-party, setting the mini-header in the page that first sets the cookies is a requirement in order for a third party to read those cookies. The privacy model in Internet Explorer 6 does not allow third-party access to cookies unless an accepted P3P privacy statement exists within the cookie itself.

In most cases, Microsoft .NET Passport cookies will not be read by third-party mechanisms. It will not typically be necessary to write the P3P mini-header into pages where Passport Manager has detected an arriving Ticket or Profile on the query string, and thus has set the Ticket or Profile cookies in your site's domain upon page load. However, some sites could potentially choose implementation strategies that use third-party access to .NET Passport cookies between related domains. If you choose to do this, it will now be necessary for you to write P3P mini-headers from any page that includes a Set-Cookie directive that in turn sets .NET Passport cookies. Potentially, this means that any page that is used as a .NET Passport return URL will require these headers in order to anticipate all cases in which the .NET Passport cookies could be written. Without P3P mini-headers in .NET Passport cookies, Internet Explorer will refuse third-party access to those cookies by not forwarding them in the request that goes to the third-party site. The result would be that the user would not appear to be signed in (no Ticket found) and Profile elements could not be read, even though the user might really have been signed in to the site already.

Using Internet Services Manager to Configure Setting Custom Headers

The preceding example used the AddHeader method of the ASP Response object to set the mini-header into a page-level response. An alternative approach to setting the P3P mini-header is to use the Internet Services Manager to configure Microsoft® Internet Information Services (IIS) to set custom header properties to pages, virtual directories, or entire Web sites. Setting the P3P mini-header will add bytes both to the initial responses and to all requests that contain that cookie, so the P3P header should generally be sent only to pages where P3P third-party cookie setting and handling will be an issue.

To enable P3P custom headers using Internet Services Manager to configure IIS

  1. Right-click the desired page, directory, or site, and then click Properties.
  2. On the HTTP Headers tab, click Add.
  3. In the Custom Header Name field, type P3P.
  4. In the Custom Header Value field, type CP="TST", and then click OK.

For full specifications, see the Platform for Privacy Preferences (P3P) Project Web site.