资讯专栏INFORMATION COLUMN

PHP - 利用P3P实现跨域

zzzmh / 3371人阅读

摘要:如何利用实现跨域在开发中,我们碰到的跨域主要还是纠结在,页面中的或者或者跨域的时候,有安全策略限制页面不带,但是如果我们加上,就没有这策略的限制。这也是来突破跨域的可行前提。从上面例子可以看出通过发送头信息而实现的跨域。

P3P是什么 P3P

Platform for Privacy Preferences, 是W3C公布的一项隐私保护推荐标准,以为用户提供隐私保护。

P3P标准的构想是:Web 站点的隐私策略应该告之访问者该站点所收集的信息类型、信息将提供给哪些人、信息将被保留多少时间及其使用信息的方式,如站点应做诸如 “本网站将监测您所访问的页面以提高站点的使用率”或“本网站将尽可能为您提供更合适的广告”等申明。访问支持P3P网站的用户有权查看站点隐私报告,然后决定是否接受cookie 或是否使用该网站。

如何利用P3P实现跨域

在开发中,我们碰到的跨域主要还是纠结在IE,页面中的IFRAME或者FRAME或者JS跨域的时候,IE有安全策略限制页面不带cookie,但是如果我们加上P3P,就没有这策略的限制。这也是P3P来突破跨域的可行前提。

例子: vist: http://www.first.com/vist.html



    
    Title




http://www.second.com/p3p.php
http://www.second.com/getp3p.php
通过浏览器访问:

http://www.first.com/vist.html

http://www.second.com/getp3p.php

我们发现访问first.com/vist.html后,我们并没有在second.com域发现设置上cookie值。

http://www.second.com/p3p.php 增加P3P头部信息:
再次通过浏览器访问:

http://www.first.com/vist.html

http://www.second.com/getp3p.php

在访问second.com域后,设置了first.com域的cookie值。
从上面例子可以看出通过发送P3P头信息而实现的跨域。(在Firefox不发送P3P也能跨域成功)

PHP使用P3P协议

header("P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"");

JS使用P3P协议

xmlhttp.setRequestHeader("P3P" ,"CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"");

P3P的头部参数解释
P3P Header is present:
CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Compact Policy token is present. A trailing "o" means opt-out, a trailing "i" means opt-in.

CURa
Information is used to complete the activity for which it was provided.

ADMa
Information may be used for the technical support of the Web site and its computer system.

DEVa
Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market.

PSAo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals.

PSDo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals.

OUR
We share information with ourselves and/or entities acting as our agents or entities for whom we are acting as an agent.

BUS
Info is retained under a service provider"s stated business practices. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site"s human-readable privacy policy.

UNI
Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service.

PUR
Information actively generated by the purchase of a product or service, including information about the method of payment.

INT
Data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity.

DEM
Data about an individual"s characteristics -- such as gender, age, and income.

STA
Mechanisms for maintaining a stateful session with a user or automatically recognizing users who have visited a particular site or accessed particular content previously -- such as HTTP cookies.

PRE
Data about an individual"s likes and dislikes -- such as favorite color or musical tastes.

COM
Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.

NAV
Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.

OTC
Other types of data not captured by the above definitions.

NOI
Web Site does not collected identified data.

DSP
The privacy policy contains DISPUTES elements.

COR
Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.

这里说的跨域主要是设置cookie的情况,如果是跨域读取cookie,要保证在对应设置cookie的时候设置了P3P,否则在读取的事情IE会屏蔽跨域cookie。

文章版权归作者所有,未经允许请勿转载,若此文章存在违规行为,您可以联系管理员删除。

转载请注明本文地址:https://www.ucloud.cn/yun/26069.html

相关文章

  • SSO单点登录的知识储备

    摘要:规定的服务器路径。的工作原理当一个第一次被启用时,一个唯一的标识被存储于本地的中。利用解决单点登陆跨域问题是公布的一项隐私保护推荐标准,以为用户提供隐私保护。 这段时间在看一些关于SSO单点登录的问题,写下一些记录和一些基础知识的储备。 cookie Cookie是由服务器端生成,发送给User-Agent(一般是浏览器),浏览器会将Cookie的key/value保存到某个...

    Dongjie_Liu 评论0 收藏0
  • yii2中session跨域名的问题

    摘要:可是,我们的域名有这三个域名仅仅是不同的环境,因此,的跨域名访问就引出来了。无论是一二级域名,和不同域名下的跨域,无非要达到两点客户端访问同一个所有域名对应的服务器访问的的数据的位置必须一致。 关闭httponly引起的问题 场景1: 测试A:咦,为什么test环境登录不了呢? 程序员:清缓存。 测试B:握草,dev也登录不了。。。谁看看! 程序员:清缓存。 测试们:。。。唉 场景...

    rollback 评论0 收藏0
  • 项目填坑记-cookie

    摘要:好啦,再次大功告成。由万维网协会研制,它为用户提供了对自己公开信息的更多的控制。支持的站点可以为浏览者声明他们的隐私策略。果然在浏览器中打开设置隐私阻止永不,打开上述设置之后,跨域种瞬间成功。 前段时间开发了一个用户登录的模块,需求很简单,用户输入手机号和验证码,我们就会返回给用户一套身份信息并保存在cookie里面。so easy,于是就有以下代码: // 大致意思如下,并非真实模块...

    Lyux 评论0 收藏0
  • 关于Vue/axios下跨域cookie的处理

    摘要:凡事有例外,以下分别对待不同情况服务器端配置即可客户端配置,这样大部分浏览器都支持跨域了,反正新版本下无问题。但放在默认设置下依然出现无法获取的问题,至此,查资料查到解决存取的跨域问题,依照文中记载,在追加的响应头,解决了下的问题。 一般在生产环境下尽量可以通过nginx等反向代理,把vue前端和api接口处理成同一端口和域名。 在开发和测试时,也可以使用兼容性比较好的浏览器进行。 凡...

    Mike617 评论0 收藏0

发表评论

0条评论

zzzmh

|高级讲师

TA的文章

阅读更多
最新活动
阅读需要支付1元查看
<