PHP如何利用P3P实现跨域
有别于JS跨域、IFRAME跨域等的常用处理办法,还可以利用P3P来实现跨域。
P3P是什么
P3P(Platform for Privacy Preferences)是W3C公布的一项隐私保护推荐标准,以为用户提供隐私保护。
P3P标准的构想是:Web 站点的隐私策略应该告之访问者该站点所收集的信息类型、信息将提供给哪些人、信息将被保留多少时间及其使用信息的方式,如站点应做诸如 “本网站将监测您所访问的页面以提高站点的使用率”或“本网站将尽可能为您提供更合适的广告”等申明。访问支持P3P网站的用户有权查看站点隐私报告,然 后决定是否接受cookie 或是否使用该网站。
如何利用P3P实现跨域
在开发中,我们碰到的跨域主要还是纠结在IE,页面中的IFRAME或者FRAME或者JS跨域的时候,IE有安全策略限制页面不带cookie,但是如果我们加上P3P,就没有这策略的限制。这也是P3P来突破跨域的可行前提。
以下为摘录的例子:
http://www.a.com/a_setcookie.php 文件内容:
<?php setcookie("test", $_GET['id'], time()+3600, "/", ".a.com"); ?>
http://www.a.com/a_getcookie.php 文件内容:
<?php var_dump($_COOKIE); ?>
http://www.b.com/b_setcookie.php 文件内容:
<script src="http://www.a.com/a_setcookie.php?id=www.b.com"></script>
通过浏览器访问:
1?> http://www.b.com/b_setcookie.php
2?> http://www.a.com/a_getcookie.php
访问1 b.com域后,我们并没有在2 a.com域发现设置上cookie值。
将http://www.a.com/a_setcookie.php文件内容改为如下:
<?php
header('P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"');
setcookie("test", $_GET['id'], time()+3600, "/", ".a.com");
?>
再次访问:
http://www.b.com/b_setcookie.php
http://www.a.com/a_getcookie.php
在访问b.com域后,设置了a.com域的cookie值。
从上面例子可以看出通过发送P3P头信息而实现的跨域。(在Firefox不发送P3P也能跨域成功)
PHP使用P3P协议
header( 'P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"' );
JS使用P3P协议
xmlhttp.setRequestHeader( "P3P" , 'CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"' );
P3P的头部参数解释
引用:
P3P Header is present:
CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Compact Policy token is present. A trailing 'o' means opt-out, a trailing 'i' means opt-in.
CURa
Information is used to complete the activity for which it was provided.
ADMa
Information may be used for the technical support of the Web site and its computer system.
DEVa
Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market.
PSAo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals.
PSDo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals.
OUR
We share information with ourselves and/or entities acting as our agents or entities for whom we are acting as an agent.
BUS
Info is retained under a service provider's stated business practices. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site's human-readable privacy policy.
UNI
Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service.
PUR
Information actively generated by the purchase of a product or service, including information about the method of payment.
INT
Data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity.
DEM
Data about an individual's characteristics -- such as gender, age, and income.
STA
Mechanisms for maintaining a stateful session with a user or automatically recognizing users who have visited a particular site or accessed particular content previously -- such as HTTP cookies.
PRE
Data about an individual's likes and dislikes -- such as favorite color or musical tastes.
COM
Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.
NAV
Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.
OTC
Other types of data not captured by the above definitions.
NOI
Web Site does not collected identified data.
DSP
The privacy policy contains DISPUTES elements.
COR
Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.
PS,这里说的跨域主要是设置cookie的情况,如果是跨域读取cookie,要保证在对应设置cookie的时候设置了P3P,否则在读取的事情IE会屏蔽跨域cookie。
相关文章
这篇文章主要介绍了WordPress开发中一些常用的debug技巧,需要的朋友可以参考下2015-12-12
这篇文章主要介绍了PHP实现链表的定义与反转功能,结合实例形式分析了PHP链表的基本定义、添加、移除、遍历以及两种反转操作相关实现技巧,需要的朋友可以参考下2018-06-06
PHP中使用DOMDocument来处理HTML、XML文档的示例
这篇文章主要介绍了PHP中使用DOMDocument来处理HTML、XML文档的示例,帮助大家更好的理解和学习使用php语言,感兴趣的朋友可以了解下2021-04-04
最近做个项目,正好需要缩略图的代码,特给大家分享下2008-10-10
这篇文章主要介绍了PHP中串行化用法,结合实例形式分析了php使用serialize与unserialize函数实现串行化与反串行化操作的相关技巧,需要的朋友可以参考下2016-11-11
在PHP中,有时候你需要在终端中处理大量数据或执行长时间运行的任务,同时希望能够实时跟踪任务的进度,在 PHP 中,有时候你需要在终端中处理大量数据或执行长时间运行的任务,同时希望能够实时跟踪任务的进度,需要的朋友可以参考下2023-10-10
在互联网快速发展的背景下,网络上的数据内容呈几何级的增长,而其中增长最快并且最容易给信息基础架构带来挑战的就是数目庞大的小文件(如图片、电子图书、邮件等)。2010-09-09
Redis 是一个开源的高性能键值存储数据库,广泛用于缓存、消息队列、会话管理和实时数据分析等应用场景,本文给大家详细介绍了phpstudy安装redis的操作步骤,需要的朋友可以参考下2023-12-12
这篇文章主要介绍了php中删除数组的第一个元素和最后一个元素的函数,需要的朋友可以参考下2015-03-03
你提到的“语言构造器”,英文是”language construct”,是语言构成的意思,翻译成语言构造器难免有点令人困惑2013-07-07
最新评论