The HTTP header for the Platform for Privacy Preferences 1.0 (P3P1.0)W3C/MIT/UNIVE200 Technology SquareCambridgeMA02139US+39 041 firstname.lastname@example.org://www.w3.org/People/Massimo/IDcideBlauer DriveSaratogaCA20454US+1 408 email@example.com://www.idcide.com
World Wide Web
The Platform for Privacy Preferences 1.0 (P3P1.0)
Such associations are contained in a so-called policy reference file.
This draft describes a new HTTP response header which indicates the
location of such policy reference file.
This header is intended to be a part of the P3P1.0 framework and should
be treated in the full context of the P3P1.0 specification.
The Platform for Privacy Preferences 1.0 (P3P1.0, henceforth "P3P") is a specification
currently under development at the World Wide Web Consortium (W3C).
P3P creates a framework for standardized, machine-readable
privacy policies, and consumer products that read these policies.
P3P's design allows Web sites to deliver automated privacy
statements, and makes it possible for users' browsers to review the
statements and to automate decision-making based on these practices
For more information on the P3P specification please consult the
P3P specification document.
Locating a P3P policy reference file is one of the first steps in
the operation of the P3P protocol. A P3P policy reference file associates
to a URI or set of URIs the appropriate privacy policies. User agents (e.g., web browsers)
a page, so that they can process that policy for the benefit of
The P3P HTTP header comes into play by
providing the URI in which the policy reference file can be found.
The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "MAY" in
this document are to be interpreted as described in RFC-2119.
Any document retrieved by HTTP may point to a policy reference file
through the use of the P3P HTTP response header, the "PolicyRef"
The PolicyRef header contains the URI of a policy reference file,
which will usually state the P3P policy covering the document that pointed
to the reference file, and possibly others as well.
The URI specified in the PolicyRef header MUST
NOT be used for any other purpose beyond identifying and referencing
The P3P policy reference header SHOULD be
inserted whenever a P3P-enabled server responds to a relevant
request, including when it responds to HEAD and OPTIONS requests.
Since policy references may be processed by agents anywhere along the response
chain, the P3P header is an end-to-end HTTP extension.
The PolicyRef header can be safely ignored by those applications/agents that do
not understand it.
The P3P header gives one or more comma-separated directives. The syntax follows,
specified using ABNF rules (as per RFC2234):
Here, URI-reference is defined as per RFC 2396, token and quoted-string are
defined by HTTP1.1.
In keeping with the rules for other HTTP headers, the P3P portion of this header may be written
in any case.
The policyref directive gives a URI which specifies the location of the policy reference
file which will state the P3P policy covering the document that pointed to the reference file,
and possibly others as well.
The compact-policy-field is used to specify "compact policies".
They are described in the next section.
User agents which find unrecognized directives (in the extension-fields) MUST ignore
the unrecognized directives. This is to allow easier deployment of future versions of P3P.
Compact policies are essentially summaries of P3P policies. They can
be used by user agents to quickly get approximate
information about P3P policies, therefore improving performance.
For an in-depth explanation of compact policies, we refer to the
P3P1.0 specification. Here, we limit
to stating the syntax:
There are no additional security requirements transporting the P3P header beyond the
requirements of the document it is associated with.
This draft is also present on the W3C site at the address
Enriched HTML and XML versions can be found at the addresses
http://www.w3.org/2002/02/draft-marchiori-w3c-p3p-header-01.xml respectively. The XML version
is compliant to RFC-2629.
This draft was produced by the
P3P Specification Working Group;
authors and contributors
of the Platform for Privacy Preferences 1.0 Specification.
Thanks to Marshall Rose for his conversion tools from the
RFC-2629 XML format to HTML and RFC.Uniform Resource Location (URI): Generic Syntax and SemanticsW3C/MITMIT Laboratory for Computer Science200 Technology SquareCambridgeMA02139US+1 617 253 5702+1 617 258 firstname.lastname@example.orgUC IrvineXeroxThe Internet Standards Process -- Revision 3Harvard UniversityHolyoke Center, Room 8131350 Massachusettes AvenueCambridgeMA02138US+1 617 495 email@example.comKey words for use in RFCs to Indicate Requirement LevelsHarvard UniversityHolyoke Center, Room 8131350 Massachusettes AvenueCambridgeMA02138US+1 617 495 firstname.lastname@example.orgThe Platform for Privacy Preferences 1.0 (P3P1.0) SpecificationAT&Tlorrie@research.att.comETH Zurichlanghein@inf.ethz.chW3C/MIT/UNIVE200 Technology SquareCambridgeMA02139US+39 041 email@example.com://www.w3.org/People/Massimo/IBMmpresler@us.ibm.comW3C/MITreagle@w3.orgAugmented BNF for Syntax Specifications: ABNFDemon Internet Ltd.Demon Internet Ltd.Hypertext Transfer Protocol -- HTTP/1.1UC IrvineCompaq/W3CCompaqW3C/MITXeroxMicrosoftW3C/MITMIT Laboratory for Computer Science200 Technology SquareCambridgeMA02139US+1 617 253 5702+1 617 258 firstname.lastname@example.orgWriting I-Ds and RFCs using XMLInvisible Worlds, Inc.660 York StreetSan FranciscoCA94110US+1 415 695 email@example.com http://invisible.net/