2004.07.23 11:07 PM
IE 6.0, W3C, and P3P
I often hear or read about Microsoft's shoddy standards compliance or their evil practice of "embrace and extend", and usually shrug it off, because, honestly, their approach has generally been good for me and my clients. Tonight, though, I got bit.
Q: The W3C states that a compact policy header is optional, but cookies do not seem to work without it. Is a compact policy header required?
Answer: Although compact policies are optional for P3P compliance, they are required by Internet Explorer to determine the Web site's privacy practices concerning cookies.
Of course, I can, kicking and screaming, spelunk through reams of delivered PeopleCode and make sure that every HTTP response for every menu, panel, and IScript includes a CP=... header (injected using the %Response object's SetHeader() method). But, that still doesn't help me with the semi-static PeopleSoft HTML page signin.html, which is used to enter the system in the first place. This page is packaged and delivered to the user by PeopleSoft's IClientServlet Java servlet, whose HTTP header logic I have no control over, and it's during the delivery of this page that the servlet determines whether the user has cookies enabled, and, if they don't, sends them cookiesrequired.html, which helpfully tells them that the "Server is not configured correctly".
By the way, it seems Mozilla and FireFox browsers don't do P3P at all.
I could be wrong on this -- It has been over a year since I did the P3P thing...but couldn't you just set the webserver to add this to its default http header? I could be thinking of something else -- but I do clearly remember doing this for IIS twice, and in Apache once for a few customers...
Perry | 2004.07.28 06:15 AM
Hi Perry - That's what I figured, but I couldn't find it. The only reference to affecting HTTP response headers I could find in the BEA WebLogic help and in on-line searches was to the HttpServletResponse object's setHeader method.
ewbi.develops | 2004.07.28 07:16 AM
Where you able to figure out a way to set the P3P header within WebLogic? We are trying to solve the same problem. Thanks.
Ken | 2004.08.23 10:22 AM
Not yet. We'd hoped to upgrade to WebLogic 8.1 which supports a filter framework (actually introduced with version 6.0, I think), which makes it easy to inject custom logic into the HTTP pipeline:
"Filters are an advanced J2EE feature primarily intended for situations where the developer cannot change the coding of an existing resource and needs to modify the behavior of that resource."
However, we're stuck at operating the app on WebLogic 5.1. So, what we'll probably do is setup an 8.1 server to act as a proxy to the 5.1 server. We can then add a filter on the 8.1 server.
Alternatively, we may adopt a simpler proxy server that allows for easy request/reponse trapping and manipulation, like this one written in Python by Suzuki Hisao:
ewbi.develops | 2004.08.23 11:08 AM
Your IP address reveals your point of entry to the Internet and can be used to trace your communications back to your ISP, your employer's network, your school, a public terminal.
Use our Free Web Proxy to surf the internet anonymously at http://peak40.com
Bassfisherman | 2007.08.28 06:19 AM
TrackBack URL: http://www.typepad.com/services/trackback/6a00d8341c7bd453ef00d8342dae2253ef
Listed below are links to weblogs that reference IE 6.0, W3C, and P3P: