Network Working GroupM. Marchiori
Expires: August 6, 2002R. Lotenberg
 February 5, 2002

The HTTP header for the Platform for Privacy Preferences 1.0 (P3P1.0)

Status of this Memo

This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at

The list of Internet-Draft Shadow Directories can be accessed at

This Internet-Draft will expire on August 6, 2002.

Copyright Notice

Copyright (C) The Internet Society (2002). All Rights Reserved.


The Platform for Privacy Preferences 1.0[4] (P3P1.0) specification describes how to associate a privacy policy with each URI request. Such associations are contained in a so-called policy reference file. This draft describes a new HTTP response header which indicates the location of such policy reference file. This header is intended to be a part of the P3P1.0 framework and should be treated in the full context of the P3P1.0 specification[4].


Table of Contents


1. Introduction

1.1 Background

The Platform for Privacy Preferences 1.0[4] (P3P1.0, henceforth "P3P") is a specification currently under development at the World Wide Web Consortium (W3C).

P3P creates a framework for standardized, machine-readable privacy policies, and consumer products that read these policies. P3P's design allows Web sites to deliver automated privacy statements, and makes it possible for users' browsers to review the statements and to automate decision-making based on these practices when appropriate.

For more information on the P3P specification please consult the P3P specification document[4].

1.2 Motivation

Locating a P3P policy reference file is one of the first steps in the operation of the P3P protocol. A P3P policy reference file associates to a URI or set of URIs the appropriate privacy policies. User agents (e.g., web browsers) can use policy references to automatically locate the privacy policy which applies to a page, so that they can process that policy for the benefit of their user.

The P3P HTTP header comes into play by providing the URI in which the policy reference file can be found.

1.3 Conventions

The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "MAY" in this document are to be interpreted as described in RFC-2119[3].


2. The P3P HTTP header

Any document retrieved by HTTP may point to a policy reference file through the use of the P3P HTTP response header, the "PolicyRef" header.

The PolicyRef header contains the URI of a policy reference file, which will usually state the P3P policy covering the document that pointed to the reference file, and possibly others as well. The URI specified in the PolicyRef header MUST NOT be used for any other purpose beyond identifying and referencing P3P policies.

The P3P policy reference header SHOULD be inserted whenever a P3P-enabled server responds to a relevant request, including when it responds to HEAD and OPTIONS requests.

Since policy references may be processed by agents anywhere along the response chain, the P3P header is an end-to-end HTTP extension.

The PolicyRef header can be safely ignored by those applications/agents that do not understand it.


3. Header Syntax

The P3P header gives one or more comma-separated directives. The syntax follows, specified using ABNF rules (as per RFC2234[5]):

p3p-header       = `P3P: ` p3p-header-field *(`,` p3p-header-field)

p3p-header-field = policy-ref-field | compact-policy-field | extension-field

policy-ref-field = `policyref="` URI-reference `"`

extension-field  = token [`=` (token | quoted-string) ]

Here, URI-reference is defined as per RFC 2396[1], token and quoted-string are defined by HTTP1.1[6].

In keeping with the rules for other HTTP headers, the P3P portion of this header may be written in any case.

The policyref directive gives a URI which specifies the location of the policy reference file which will state the P3P policy covering the document that pointed to the reference file, and possibly others as well.

The compact-policy-field is used to specify "compact policies". They are described in the next section.

User agents which find unrecognized directives (in the extension-fields) MUST ignore the unrecognized directives. This is to allow easier deployment of future versions of P3P.

For example:

  1. Client makes a GET request.

        GET /index.html HTTP/1.1 
        Accept: */* 
        Accept-Language: de, en 
        User-Agent: WonderBrowser/5.2 (RT-11) 
  2. Server returns content and the PolicyRef header pointing to the policy of the page.

        HTTP/1.1 200 OK 
        P3P: policyref=""
        Content-Type: text/html 
        Content-Length: 7413 
        Server: CC-Galaxy/1.3.18 


4. Compact Policies

Compact policies are essentially summaries of P3P policies. They can be used by user agents to quickly get approximate information about P3P policies, therefore improving performance.

For an in-depth explanation of compact policies, we refer to the P3P1.0[4] specification. Here, we limit to stating the syntax:

compact-policy-field  = `CP="` compact-policy `"`

compact-policy        = compact-token *(" " compact-token) 

compact-token         = compact-access           |
                        compact-disputes         |
                        compact-remedies         |
                        compact-non-identifiable |
                        compact-purpose          |
                        compact-recipient        |
                        compact-retention        |
                        compact-categories       |

compact-access        = "NOI" | "ALL" | "CAO" | "IDC" | "OTI" | "NON"

compact-disputes      = "DSP" 

compact-remedies      = "COR" | "MON" | "LAW"

compact-non-identifiable = "NID" 

compact-purpose       = "CUR"        | "ADM" [creq] | "DEV" [creq] | "TAI" [creq] | 
                        "PSA" [creq] | "PSD" [creq] | "IVA" [creq] | "IVD" [creq] | 
                        "CON" [creq] | "HIS" [creq] | "TEL" [creq] | "OTP" [creq]

creq                  = "a" | "i" | "o"

compact-recipient     = "OUR" | "DEL" [creq] | "SAM" [creq] | "UNR" [creq] | 
                        "PUB" [creq] | "OTR" [creq]

compact-retention     = "NOR" | "STP" | "LEG" | "BUS" | "IND"

compact-category      = "PHY" | "ONL" | "UNI" | "PUR" | "FIN" | "COM" | 
                        "NAV" | "INT" | "DEM" | "CNT" | "STA" | "POL" | 
                        "HEA" | "PRE" | "LOC" | "GOV" | "OTC"

compact-test          = "TST"


5. Security Considerations

There are no additional security requirements transporting the P3P header beyond the requirements of the document it is associated with.


6. Notes

This draft is also present on the W3C site at the address Enriched HTML and XML versions can be found at the addresses and respectively. The XML version is compliant to RFC-2629[7].


7. Acknowledgments

This draft was produced by the P3P Specification Working Group; please see authors and contributors of the Platform for Privacy Preferences 1.0 Specification[4].

Thanks to Marshall Rose for his conversion tools from the RFC-2629[7] XML format to HTML and RFC.



[1] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform Resource Location (URI): Generic Syntax and Semantics", RFC 2396, August 1998.
[2] Bradner, S.O., "The Internet Standards Process -- Revision 3", RFC 2026, BCP 9, October 1996.
[3] Bradner, S.O., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, BCP 14, March 1997.
[4] Cranor, L., Langheinrich, M., Marchiori, M., Presler-Marshall, M. and J. Reagle, "The Platform for Privacy Preferences 1.0 (P3P1.0) Specification", W3C P3P1.0, December 2000.
[5] Crocker, D. and P. Overel, "Augmented BNF for Syntax Specifications: ABNF", RFC 2234, November 1997.
[6] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[7] Rose, M.T., "Writing I-Ds and RFCs using XML", RFC 2629, June 1999.


Authors' Addresses

  Massimo Marchiori
  200 Technology Square
  Cambridge, MA 02139
Phone:  +39 041 2908423
  Ran Lotenberg
  Blauer Drive
  Saratoga, CA 20454
Phone:  +1 408 8721541


Full Copyright Statement