官网：http://www.w3.org/P3P/
P3P: CP=’CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR’

相关名词解释：

1.第一方Cookie是来自当前正在查看的网站，或者发送到当前正在查看的网站。

2.第三方Cookie是来自当前正在查看的网站以外的网站，或者发送到当前正在查看的网站以外的网站。第三方网站通常提供正在查看的网站上的内容。例如，许多站点使用来自第三方网站的广告，或者iframe的别的网站的url，这些第三方的网站可能使用的Cookie。

3.P3P,Platform for Privacy Preferences: P3P由万维网协会研制，它为Web用户提供了对自己公开信息的更多的控制。支持P3P的Web站点可以为浏览者声明他们的隐私策略。支持P3P的浏览器 则可以将Web站点的策略与用户的隐私偏好进行对比，并为用户提出不匹配的警告。因此，用户可以被通知有关Web隐私的处理方式。

通过P3P 可以使用户自己指定浏览器的隐私策略。通过指定用户隐私策略，就可以达到存取第三方cookie的目的，看到这也许会觉得跟web应用毫无关系，真正的问题是如何让服务器来指定用户浏览器的隐私策略？ 这就是本文主角P3P该干的事了，只要在响应用户请求的时候在http的头信息中增加关于p3p的配置信息就可以了 ，就我分析目前大部分的通行证基本都用到了P3P。

PHP实战：
1.编辑hosts文件，加入测试域名（C:\WINDOWS\system32\drivers\etc\hosts）

127.0.0.1 www.ieliwb_a.com
127.0.0.1 www.ieliwb_b.com

2.
www.ieliwb_a.com/set.php内容：

http://www.ieliwb_b.com/p3p.php内容：

http://www.ieliwb_b.com/look.php内容：

测试：首先访问www.ieliwb_a.com/set.php，再访问http://www.ieliwb_b.com/look.php，可以看到ieliwb_a域成功设置了ieliwb_b域下的Cookie。通行证单点登录跨域设置Cookie基本基于此开发。

相关注意事项总结：

1.页面里的COOKIE不能是浏览器进程的COOKIE(包括验证票和不设置超时时间的COOKIE),否则跨域会取不到.这点做跨域COOKIE的人比较少提到.不过实际上留意下几家大学做的方案,有细微的提到他们的验证模块里的COOKIE是有设置超时时间的.

2.当利用IFRAME时,记得要在相应的动态页的页头添加一下P3P的信息,否则IE会自觉的把IFRAME框里的COOKIE给阻止掉,产生问题.本身不保存自然就取不到了.这个其实是FRAMESET和COOKIE的问题,用FRAME或者IFRAME都会遇到.

3.测试时输出TRACE,会减少很多测试的工作量.

4.似乎只有IE对跨域访问COOKIE限制比较严格，上述代码在FIREFOX下测试，即使不发送P3P头信息，也能成功。

P3P代码的含义

P3P Header is present:
CP=”CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR”

Compact Policy token is present. A trailing ‘o’ means opt-out, a trailing ‘i’ means opt-in.

CURa
Information is used to complete the activity for which it was provided.

ADMa
Information may be used for the technical support of the Web site and its computer system.

DEVa
Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market.

PSAo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals.

PSDo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals.

OUR
We share information with ourselves and/or entities acting as our agents or entities for whom we are acting as an agent.

BUS
Info is retained under a service provider’s stated business practices. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site’s human-readable privacy policy.

UNI
Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service.

PUR
Information actively generated by the purchase of a product or service, including information about the method of payment.

INT
Data actively generated from or reflecting explicit interactions with a service provider through its site — such as queries to a search engine, or logs of account activity.

DEM
Data about an individual’s characteristics — such as gender, age, and income.

STA
Mechanisms for maintaining a stateful session with a user or automatically recognizing users who have visited a particular site or accessed particular content previously — such as HTTP cookies.

PRE
Data about an individual’s likes and dislikes — such as favorite color or musical tastes.

COM
Information about the computer system that the individual is using to access the network — such as the IP number, domain name, browser type or operating system.

NAV
Data passively generated by browsing the Web site — such as which pages are visited, and how long users stay on each page.

OTC
Other types of data not captured by the above definitions.

NOI
Web Site does not collected identified data.

DSP
The privacy policy contains DISPUTES elements.

COR
Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.

最后呢喃一下：p3p是一件比较恐怖的东西，服务器能够修改浏览用户的隐私策略。
花太香齐2009/12/18 闲的蛋疼总结下开发过程中用到的技术。