PHP如何利用P3P实现跨域
有别于JS跨域、IFRAME跨域等的常用处理办法,还可以利用P3P来实现跨域。
P3P是什么
P3P(Platform for Privacy Preferences)是W3C公布的一项隐私保护推荐标准,以为用户提供隐私保护。
P3P标准的构想是:Web 站点的隐私策略应该告之访问者该站点所收集的信息类型、信息将提供给哪些人、信息将被保留多少时间及其使用信息的方式,如站点应做诸如 “本网站将监测您所访问的页面以提高站点的使用率”或“本网站将尽可能为您提供更合适的广告”等申明。访问支持P3P网站的用户有权查看站点隐私报告,然 后决定是否接受cookie 或是否使用该网站。
如何利用P3P实现跨域
在开发中,我们碰到的跨域主要还是纠结在IE,页面中的IFRAME或者FRAME或者JS跨域的时候,IE有安全策略限制页面不带cookie,但是如果我们加上P3P,就没有这策略的限制。这也是P3P来突破跨域的可行前提。
以下为摘录的例子:
http://www.a.com/a_setcookie.php 文件内容:
<?php setcookie("test", $_GET['id'], time()+3600, "/", ".a.com"); ?>
http://www.a.com/a_getcookie.php 文件内容:
<?php var_dump($_COOKIE); ?>
http://www.b.com/b_setcookie.php 文件内容:
<script src="http://www.a.com/a_setcookie.php?id=www.b.com"></script>
通过浏览器访问:
1?> http://www.b.com/b_setcookie.php
2?> http://www.a.com/a_getcookie.php
访问1 b.com域后,我们并没有在2 a.com域发现设置上cookie值。
将http://www.a.com/a_setcookie.php文件内容改为如下:
<?php
header('P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"');
setcookie("test", $_GET['id'], time()+3600, "/", ".a.com");
?>
再次访问:
http://www.b.com/b_setcookie.php
http://www.a.com/a_getcookie.php
在访问b.com域后,设置了a.com域的cookie值。
从上面例子可以看出通过发送P3P头信息而实现的跨域。(在Firefox不发送P3P也能跨域成功)
PHP使用P3P协议
header( 'P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"' );
JS使用P3P协议
xmlhttp.setRequestHeader( "P3P" , 'CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"' );
P3P的头部参数解释
引用:
P3P Header is present:
CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Compact Policy token is present. A trailing 'o' means opt-out, a trailing 'i' means opt-in.
CURa
Information is used to complete the activity for which it was provided.
ADMa
Information may be used for the technical support of the Web site and its computer system.
DEVa
Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market.
PSAo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals.
PSDo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals.
OUR
We share information with ourselves and/or entities acting as our agents or entities for whom we are acting as an agent.
BUS
Info is retained under a service provider's stated business practices. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site's human-readable privacy policy.
UNI
Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service.
PUR
Information actively generated by the purchase of a product or service, including information about the method of payment.
INT
Data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity.
DEM
Data about an individual's characteristics -- such as gender, age, and income.
STA
Mechanisms for maintaining a stateful session with a user or automatically recognizing users who have visited a particular site or accessed particular content previously -- such as HTTP cookies.
PRE
Data about an individual's likes and dislikes -- such as favorite color or musical tastes.
COM
Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.
NAV
Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.
OTC
Other types of data not captured by the above definitions.
NOI
Web Site does not collected identified data.
DSP
The privacy policy contains DISPUTES elements.
COR
Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.
PS,这里说的跨域主要是设置cookie的情况,如果是跨域读取cookie,要保证在对应设置cookie的时候设置了P3P,否则在读取的事情IE会屏蔽跨域cookie。
相关文章
最近看到一篇文章:《PHP开发者常犯的10个MySQL错误》,发现文中不少内容陈旧,随着时间推移技术发展变化而变得不适用。为了防止误导新手,特本着与时俱进的精神写出此文,绝非对原文作者的不尊重2012-01-01
这篇文章主要介绍了PHP进行批量任务处理不超时的解决方法,结合实例形式简单分析了php结合ajax进行异步处理实现批量任务不超时的相关技巧,需要的朋友可以参考下2016-07-07
下面小编就为大家分享一篇php7下安装event扩展方法,具有很好的参考价值,希望对大家有所帮助。一起跟随小编过来看看吧2018-03-03
简单采集了yahoo的一些数据...2007-02-02
这篇文章主要介绍了php编程实现简单的网页版计算器功能,涉及php简单表单操作与数值运算相关实现技巧,需要的朋友可以参考下2017-04-04
以前没学过PHP,最近刚好一个项目需要用到,我就决定一边学一边做PHP2012-08-08
PHP中共有超过30个新的数组相关函数,其中很多通用函数允许您检查给定数组中是否存在特定对象、对数组元素计数、增加或删除元素,或对元素排序。2011-08-08
integer 类型 就是 集合Z = {..., -2, -1, 0, 1, 2, ...}中的一个数字。2010-07-07
这篇文章主要介绍了php字符串操作常见问题,结合实例形式分析了php针对json的操作及字符串转换问题,需要的朋友可以参考下2016-10-10
玩PHP玩了几年了,在刚刚接触PHP的时候感觉正则真的很洋气,我想替换啥就替换啥。然而随着工作的推移,渐渐对正则开发反感起来,正则的速度太慢了,而且特占内存。在一个群里有个网友说,正则速度快,正则简单,正则开发效率高。我并没有与他争辩,因为我刚刚做PHP的时候也是这样的想法。但是正则真的那么好吗?2008-03-03
最新评论