PHP如何利用P3P实现跨域


Posted in PHP onAugust 24, 2013

有别于JS跨域、IFRAME跨域等的常用处理办法,还可以利用P3P来实现跨域。

P3P是什么
P3P(Platform for Privacy Preferences)是W3C公布的一项隐私保护推荐标准,以为用户提供隐私保护。

P3P标准的构想是:Web 站点的隐私策略应该告之访问者该站点所收集的信息类型、信息将提供给哪些人、信息将被保留多少时间及其使用信息的方式,如站点应做诸如 “本网站将监测您所访问的页面以提高站点的使用率”或“本网站将尽可能为您提供更合适的广告”等申明。访问支持P3P网站的用户有权查看站点隐私报告,然 后决定是否接受cookie 或是否使用该网站。

如何利用P3P实现跨域
在开发中,我们碰到的跨域主要还是纠结在IE,页面中的IFRAME或者FRAME或者JS跨域的时候,IE有安全策略限制页面不带cookie,但是如果我们加上P3P,就没有这策略的限制。这也是P3P来突破跨域的可行前提。

以下为摘录的例子:
http://www.a.com/a_setcookie.php 文件内容:
<?php setcookie("test", $_GET['id'], time()+3600, "/", ".a.com"); ?>
http://www.a.com/a_getcookie.php 文件内容:
<?php var_dump($_COOKIE); ?>
http://www.b.com/b_setcookie.php 文件内容:
<script src="http://www.a.com/a_setcookie.php?id=www.b.com"></script>
通过浏览器访问:

1?> http://www.b.com/b_setcookie.php
2?> http://www.a.com/a_getcookie.php

访问1 b.com域后,我们并没有在2 a.com域发现设置上cookie值。
将http://www.a.com/a_setcookie.php文件内容改为如下:
<?php  
header('P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"');   
setcookie("test", $_GET['id'], time()+3600, "/", ".a.com");  
?>

再次访问:
http://www.b.com/b_setcookie.php
http://www.a.com/a_getcookie.php
在访问b.com域后,设置了a.com域的cookie值。
从上面例子可以看出通过发送P3P头信息而实现的跨域。(在Firefox不发送P3P也能跨域成功)

PHP使用P3P协议

header( 'P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"' );

JS使用P3P协议
xmlhttp.setRequestHeader( "P3P" , 'CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"' );

P3P的头部参数解释
引用:
P3P Header is present:
CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Compact Policy token is present. A trailing 'o' means opt-out, a trailing 'i' means opt-in.
CURa
Information is used to complete the activity for which it was provided.
ADMa
Information may be used for the technical support of the Web site and its computer system.
DEVa
Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market.
PSAo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals. 
PSDo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals.
OUR
We share information with ourselves and/or entities acting as our agents or entities for whom we are acting as an agent.
BUS
Info is retained under a service provider's stated business practices. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site's human-readable privacy policy.
UNI
Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service.
PUR
Information actively generated by the purchase of a product or service, including information about the method of payment.
INT
Data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity.
DEM
Data about an individual's characteristics -- such as gender, age, and income.
STA
Mechanisms for maintaining a stateful session with a user or automatically recognizing users who have visited a particular site or accessed particular content previously -- such as HTTP cookies.
PRE
Data about an individual's likes and dislikes -- such as favorite color or musical tastes.
COM
Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.
NAV
Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.
OTC
Other types of data not captured by the above definitions.
NOI
Web Site does not collected identified data.
DSP
The privacy policy contains DISPUTES elements.
COR
Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.

PS,这里说的跨域主要是设置cookie的情况,如果是跨域读取cookie,要保证在对应设置cookie的时候设置了P3P,否则在读取的事情IE会屏蔽跨域cookie。
PHP 相关文章推荐
function.inc.php超越php
Dec 09 PHP
PHP面向对象编程快速入门
Dec 14 PHP
php下载远程文件类(支持断点续传)
Nov 14 PHP
php面向对象全攻略 (十一)__toString()用法 克隆对象 __call处理调用错误
Sep 30 PHP
PHP中static关键字原理的学习研究分析
Jul 18 PHP
作为PHP程序员应该了解MongoDB的五件事
Jun 03 PHP
MySql数据库查询结果用表格输出PHP代码示例
Mar 20 PHP
PHP实现RTX发送消息提醒的实例代码
Jan 03 PHP
PHP递归实现汉诺塔问题的方法示例
Nov 25 PHP
PHP实现的猴王算法(猴子选大王)示例
Apr 30 PHP
php判断目录存在的简单方法
Sep 26 PHP
php加速缓存器opcache,apc,xcache,eAccelerator原理与配置方法实例分析
Mar 02 PHP
PHP引用符&amp;的用法详细解析
Aug 22 #PHP
新手菜鸟必读:session与cookie的区别
Aug 22 #PHP
PHP mysql与mysqli事务使用说明 分享
Aug 17 #PHP
php中url传递中文字符,特殊危险字符的解决方法
Aug 17 #PHP
测试PHP连接MYSQL成功与否的代码
Aug 16 #PHP
PHP 通过Socket收发十六进制数据的实现代码
Aug 16 #PHP
php读取mysql中文数据出现乱码的解决方法
Aug 16 #PHP
You might like
透析PHP的配置文件php.ini
2006/10/09 PHP
php利用新浪接口查询ip获取地理位置示例
2014/01/20 PHP
PHP常用正则表达式集锦
2014/08/17 PHP
php源码 fsockopen获取网页内容实例详解
2016/09/24 PHP
laravel框架模型中非静态方法也能静态调用的原理分析
2019/11/23 PHP
解析arp病毒背后利用的Javascript技术附解密方法
2007/08/06 Javascript
JavaScript 动态将数字金额转化为中文大写金额
2009/05/14 Javascript
javascript写的一个链表实现代码
2009/10/25 Javascript
jquery解决客户端跨域访问问题
2015/01/06 Javascript
JS实现不规则TAB选项卡效果代码
2015/09/16 Javascript
node.js使用cluster实现多进程
2016/03/17 Javascript
使用BootStrap实现用户登录界面UI
2016/08/10 Javascript
微信小程序 教程之引用
2016/10/18 Javascript
Bootstrap源码解读按钮(5)
2016/12/23 Javascript
javascript中BOM基础知识总结
2017/02/14 Javascript
本地搭建微信小程序服务器的实现方法
2017/10/27 Javascript
详解如何在angular2中获取节点
2017/11/23 Javascript
vue实现商城上货组件简易版
2017/11/27 Javascript
javascript数组拍平方法总结
2018/01/20 Javascript
vue checkbox 全选 数据的绑定及获取和计算方法
2018/02/09 Javascript
总结javascript三元运算符知识点
2018/09/28 Javascript
浅析vue插槽和作用域插槽的理解
2019/04/22 Javascript
Node.js 的 GC 机制详解
2019/06/03 Javascript
JavaScript 实现自己的安卓手机自动化工具脚本(推荐)
2020/05/13 Javascript
Python读取YAML文件过程详解
2019/12/30 Python
Pytorch数据拼接与拆分操作实现图解
2020/04/30 Python
HTML5新增form控件和表单属性实例代码详解
2019/05/15 HTML / CSS
李宁官方网店:中国运动品牌
2017/11/02 全球购物
海量信息软件测试笔试题
2015/08/08 面试题
酒店保安员岗位职责
2014/01/31 职场文书
室内趣味活动方案
2014/08/24 职场文书
英语教师个人总结
2015/02/09 职场文书
虎兄虎弟观后感
2015/06/12 职场文书
2017元旦晚会开幕词
2016/03/03 职场文书
解读Vue组件注册方式
2021/05/15 Vue.js
python获取带有返回值的多线程
2022/05/02 Python