|C o m p a c t P r i v a c y P o l i c y|
Compact policies are summarized P3P policies that provide hints to user agents to enable the user agent to make quick, synchronous decisions about applying policy. Compact policies are a performance optimization that is OPTIONAL for either user agents or servers. User agents that are unable to obtain enough information from a compact policy to make a decision according to a user's preferences SHOULD fetch the full policy.
In P3P, compact policies contain policy information related to cookies (cf. [COOKIES] and [STATE]) only. The Web server is responsible for building a P3P compact policy to represent the cookies referenced in a full policy. The policy specified in a P3P compact policy applies to data stored within all cookies set in the same HTTP response as the compact policy, all cookies set by scripts associated with that HTTP response, and also to data linked to the cookies.
Any HTTP resource MAY include a P3P compact policy
through the P3P response header (cf. Section 2.2.2). If
a site is using P3P headers, it SHOULD include this on
responses for all appropriate request methods,
The P3P compact policy header has a quoted string that may contain one or more delimited tokens (the "compact policy"). Tokens can appear in any order, and the space character (" ") is the only valid delimiter. The syntax for this header is as follows:
As for all HTTP headers, the name of the P3P header field is case-insensitive. The field-value (i.e., the content of the header) is instead case sensitive.
If an HTTP response includes more than one compact policy, P3P user agents MUST ignore all compact policies after the first one.
P3P compact policies use tokens representing the
following elements from the P3P vocabulary:
If a token appears more than once in a single compact policy, the compact policy has the same semantics as if that token appeared only once. If an unrecognized token appears in a compact policy, the compact policy has the same semantics as if that token was not present.
The P3P compact policy vocabulary is expressed using a developer-readable language to reduce the number of bytes transferred over the wire within a HTTP response header. The syntax of the tokens follows:
Information in the
If a full P3P policy contains a
Information in the
The presence of the
Purposes are expressed in P3P compact policy format
using tokens composed by a three letter code plus an
optional one letter attribute. Such an optional
attribute encodes the value of the
If a P3P compact policy needs to specify one or more
other-purposes in its full P3P policy, a single
The corresponding associations among P3P purposes and compact policy codes follow:
Recipients are expressed in P3P compact policy format
using a three letter code plus an optional one letter
attribute. Such an optional attribute encodes the value
of the "
The corresponding associations among P3P recipients and compact policy codes follow:
Information in the
Categories are represented in compact policies as follows:
Note that if a P3P policy specifies one or more
The presence of the
When a P3P compact policy is included in a HTTP
response header, it applies to cookies set by the
current response. This includes cookies set through the
use of a HTTP
To use compact policies, the validity of the full P3P policy must span the lifetime of the cookie. There is no method to indicate that policy is valid beyond the life of the cookie because the value of user agent caching is marginal, since sites would not know when to optimize by not sending the compact policy. When a server sends a compact policy, it is asserting that the compact policy and corresponding full P3P policy will be in effect for at least the lifetime of the cookie to which it applies.
When using P3P compact policies, the Web site is
responsible for building a compact policy by
summarizing the policy referenced by the
The transformation of a P3P policy to a P3P compact policy may result in a loss of descriptive policy information -- the compact policy may not contain all of the policy information specified in the full P3P policy. The information from the full policy that is discarded when building a compact policy includes expiry, data group/data-schema elements, entity elements, consequences elements, and disputes elements are reduced.
Full policies that include mandatory extensions MUST NOT be represented as compact policies.
All of the purposes, recipients, and categories that appear in multiple statements in a full policy MUST be aggregated in a compact policy, as described in section 3.3.1. When performing the aggregation, a Web site MUST disclose all relevant tokens (for instance, observe Example 4.1, where multiple retention policies are specified.)
In addition, for each fixed category data element appearing in a statement the associated category as defined in the associated schema MUST be included in the compact policy.
Consider the following P3P policy:
<POLICY name="sample" discuri="http://www.example.com/cookiepolicy.html" opturi="http://www.example.com/opt.html"> <ENTITY> <DATA-GROUP> <DATA ref="#business.name">Example, Corp.</DATA> <DATA ref="#business.contact-info.online.email">email@example.com</DATA> </DATA-GROUP> </ENTITY> <ACCESS><none/></ACCESS> <DISPUTES-GROUP> <DISPUTES resolution-type="service" service="http://www.example.com/privacy.html" short-description="Please contact our customer service desk with privacy concerns by emailing firstname.lastname@example.org"/> </DISPUTES-GROUP> <STATEMENT> <PURPOSE><admin/><develop/><pseudo-decision/></PURPOSE> <RECIPIENT><ours/></RECIPIENT> <RETENTION><indefinitely/></RETENTION> <DATA-GROUP> <DATA ref="#dynamic.cookies"> <CATEGORIES><preference/><navigation/></CATEGORIES> </DATA> </DATA-GROUP> </STATEMENT> <STATEMENT> <PURPOSE><individual-decision required="opt-out"/></PURPOSE> <RECIPIENT><ours/></RECIPIENT> <RETENTION><stated-purpose/></RETENTION> <DATA-GROUP> <DATA ref="#user.name.given"/> <DATA ref="#dynamic.cookies"> <CATEGORIES><preference/><uniqueid/></CATEGORIES> </DATA> </DATA-GROUP> </STATEMENT> </POLICY>
The corresponding compact policy is:
"NON DSP ADM DEV PSD IVDo OUR IND STP PHY PRE NAV UNI"
Some user agents may attempt to generate a full P3P
policy from a compact policy, for use in evaluating
user preferences. They will not be able to provide
values for the
Note that, in agreement with the non ambiguity requirements stated in Section 2.4.1, a site MUST honor a compact policy for a given URI in any case (even when the full policy referenced in the policy reference file for that URI does not correspond, as per Section 4.5, to the compact policy itself).
|CompactPrivacyPolicy Copyright © 2006-2007|