Okay, here's the scoop, thanks to everyone who contributed!!
Sorry for the very long email too, it's good reading. LOL
(Miva, I put a possible wish/support request at the bottom)
Internet Explorer 6 will never request the P3P policy
from a 3rd party site that is trying to send it cookies.
It does not matter how nice your policy is, IE does not
care and won't retrieve it. What it does like to see is
a P3P header added on to your web server's HTTP response.
This takes the format:
P3P: NOI DEVa TAIa OUR BUS UNI STA
That's my exact header for one of my store sites that
people reach through a static site on another domain name.
When they hit the static site, I attempt to give them a
reference to the Merchant site so that they can have a
session ID that Ivo's mmhtml module will later use to tell
me the customer's original referer so I can see where they
came from and what advertising ventures are working out.
So this whole time, I'm trying to figure out why this
header is not making IE6 store my 3rd party cookie at the
static storefront page. I am using a .htaccess file
under Apache to tell it to send the P3P header out with
my compact privacy policy in the headers on the static
site and on the Merchant site. I even used a sniffer
to verify that the header was indeed being sent out with
the response from the web server...
Well it turns out I was not thorough enough in my
inspection of the actual web server response, I only
checked the static site for the header. What was actually
happening all along is that my P3P compact header is fine,
but it was NOT being served to the client IE6 from the
shopping site, it was missing from the header even though
I did everything correctly via the .htaccess file. It
seems that the .htaccess file is ignored when Apache is
asked to serve a request that needs processing by the
Empresa binary. So people were being sent to the 3rd
party site to get the cookie but the P3P compact header
was not coming back with it so IE6 rejected it. I had
to remove my .htaccess file and put the apache 'Header'
command into the apache config file directly for that
site instead, that allowed Apache to send back the P3P
header with Empresa-processed documents and the P3P header
now allows default IE6 to accept my '3rd party' cookies
from my Merchant site to my static site.
Miva, if it's possible, I think Merchant should be able
to tell Empresa to send back custom HTTP headers. I
believe it should be able to do this, not positive though.
If that could be done, a box could be added to Merchant
so that sites that have created P3P policies, could
generate their corresponding P3P Compact Policy to be
placed into the P3P header for their site. This might
be required for users who need P3P headers but do not
have administrative rights to the web server.
Other site admins, although it has the ability to
create a policy file that is in violation of the standard,
IBM's P3P policy editor is very helpful. It will create
you a policy, possibly from templates, and then generate
your P3P xml policy file, your P3P policy reference
file (/privacy/policy.p3p#name), an html file that outlines
the policy in human readable form, and your P3P compact
policy headers for use with your web server. Just make
absolutely sure that if you choose to add in explicit
included and excluded URL's of sections of your site
covered by the policy, that you don't refer to any other
domains, I made this mistake thinking I could make a multi-
site policy, that is not allowed by the P3P spec.
Thanks, good luck to all, feel free to email me any questions
you have about this, I'd love to keep any of you from having
as much trouble, :-)
David
Hostasaurus.Com
Comment