P3P policy definitions: setting cookies in iframes in IE
First published on May 22, 2012
If you’re developing a Facebook application in an iframe, and in that iframe you need to set cookies, your cookie functionality might not function correctly in Internet Explorer browsers. This is not just the case for Facebook apps, but for many, the issue presents itself for the first time in a Facebook context. A quick Google search reveals an answer of setting a P3P header; if your application is written in PHP, it would look something like this:
But what does it mean? In short, it’s a compact privacy policy framework, letting users know what information you are gathering about them, and what you are going to do with that information. (As stated by Wikipedia, “Microsoft Internet Explorer is the only major browser to support P3P.”) Technically, you can paste that random piece of code into your application and move on; however if you’re wondering what exactly you’re stepping up to, you can see all of the 3-4 character definitions on this site. Also, below is an outline of what the example policy means.
Generally what kind of information is being accessed:
IDC = Identifiable Contact Information: access is given to identified online and physical contact information (e.g., users can access things such as a postal address)
Policy around disputes:
DSP = The privacy policy contains DISPUTES elements.
COR = Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.
The purposes of collecting the information:
ADM = Information may be used for the technical support of the Web site and its computer system. Users cannot opt-in or opt-out of this usage (same as tag ADMa).
DEVi = Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market. Opt-in means prior consent must be provided by users.
TAIi = Information may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customization. Opt-in means prior consent must be provided by users.
PSA = Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals. Users cannot opt-in or opt-out of this usage (same as tag PSAa).
PSD = Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals. Users cannot opt-in or opt-out of this usage (same as tag PSDa).
IVAi = Information may be used to determine the habits, interests, or other characteristics of individuals and combine it with identified data for the purpose of research, analysis and reporting. Opt-in means prior consent must be provided by users.
IVDi = Information may be used to determine the habits, interests, or other characteristics of individuals and combine it with identified data to make a decision that directly affects that individual. Opt-in means prior consent must be provided by users.
CONi = Information may be used to contact the individual, through a communications channel other than voice telephone, for the promotion of a product or service. This includes notifying visitors about updates to the Web site. Opt-in means prior consent must be provided by users.
HIS = Information may be archived or stored for the purpose of preserving social history as governed by an existing law or policy. Users cannot opt-in or opt-out of this usage (same as tag HISa).
Recipient of the information
OUR = Ourselves and/or entities acting as our agents or entities for whom we are acting as an agent.
Retention policy
IND = Information is retained for an indeterminate period of time. The absence of a retention policy would be reflected under this option. Where the recipient is a public fora, this is the appropriate retention policy.
Policy categories
CNT = The words and expressions contained in the body of a communication — such as the text of email, bulletin board postings, or chat room communications.