Technical Issues in Implementing P3P in Netscape 7.0
Harish Dhurvasula, Dave Barrowman, and Steve Morse
Netscape Communications Corporation
Mountain View, California.

Netscape Communications introduced support for aspects of the W3C P3P specification in Netscape 7.0. Like other implementations, P3P in Netscape 7.0 focuses on privacy policy location and display, and cookie management via P3P compact policies. To implement these new features, Netscape leveraged facilities already present in the Netscape client, such as the XML parser, XSLT engine, and the XUL-based cookie manager. This paper describes the Netscape 7.0 P3P implementation and discusses some of the issues encountered by the Netscape development team in this development effort.

P3P in Netscape 7.0

A P3P enabled web browser, such as Netscape 7.0, can inform web users about privacy policies of the web sites they visit, and allows users to make informed decisions before releasing any personal information. Netscape 7.0 introduces two P3P features: a P3P policy viewer and P3P compact policy-based cookie management. The policy viewer allows users to view a web site's published privacy policy and/or the privacy summary (based on the machine readable policy) that informs what data is collected, and how the data will be used by the web site. The compact policy-based cookie management feature provides a visual warning to the user when a web sites pass cookies which collect personally identifiable information without the user's explicit consent.

Technical Details

Policy Viewer:
The Policy Viewer implementation, in Netscape 7.0, is built over several emerging technologies, including:

eXtensible Markup Language(XML)
A P3P enabled Web site encodes its data-collection and data-use practices in a machine-readable (XML) format known as a P3P policy. When the user requests for the Web site's privacy summary, the machine-readable policy (located by the policy reference file) is loaded into the Netscape Gecko XML parser, and is parsed in accordance to the XML specification. Policies and the policy reference files that do not conform to the well-formdness constraints are considered invalid and hence are not rendered. However, policies and policy reference files that do not conform to XML schema are considered valid since the XML parser in Gecko is not a validating parser. The machine-readable policy is then transformed into a human-readable format by using eXtensible Stylesheet Language Transformation (XSLT).

eXtensible Stylesheet Language Transformation (XSLT)
XSLT is a declarative language that extracts data from an XML document and transforms it into a new data structure. The new data structure can then be formatted to a desired output. In Netscape 7.0 the transformation (from machine-readable to human-readable format) is accomplished by template rules that map P3P elements to appropriate human-readable messages. These messages are then compiled into an HTML document. The transformed HTML document is rendered in the policy viewer window.

eXtensible User Interface Language (XUL)
XUL is an XML based language for describing the contents of browser windows and dialogs. XUL is cross platform, can be styled, and is easily localizable. Netscape 7.0 uses XUL to construct toolbars, buttons, trees, menus, and dialog controls. P3P controls are also built on XUL and the user can view the Web sites' published policy, privacy summary, and privacy options by clicking on "Policy", "Summary", and "Options" buttons respectively. These buttons are located in the "Privacy Tab" off of the "Page-Info" window.

Cookie Management:
The compact policy-based cookie management is supported by the following:

Compact Policy Parser
The compact policy parser is called into play when a http response, containing the policy, is received. The parser processes the policy and deduces a consent that can be used to treat the cookies associated with that policy.

P3P Preferences
This is a XUL-based dialog in which the user specifies special treatments for cookies based on the sending sites' compact policy. In particular the user can specicify under which compact-policy statements cookies are to be accepted, rejected, downgraded, or flagged.

P3P Icon
This is a XUL icon appearing on the status line whenever a cookie has been given special treatment based on the p3p preferences. For example, if a cookie has been downgraded, flagged, or rejected because the combination of the compact policy and the user's preferences requested such an action, the icon appears. Clicking on this icon brings up a dialog which allows the user to get to the cookie manager to see which cookies were affected. Once the user has seen the dialog, the icon disappears and remains gone until another cookie is given such special treatment.

Cookie Manager
This is a XUL-based dialog in which the user can view the cookies that have been accepted and details about such cookies. In particular, this dialog will show if any cookies in the current session have received special treatment due to the combination of the sites compact policy and the users p3p preferences.

Platform Independence:
Because of the platform independence of XML, XSLT, and XUL, Netscape was able to deliver an identical P3P implementation across Windows, Macintosh (Classic and OS X), and Linux, with no additional development effort.

Issues Encountered

Quotes ( ' or "):
The P3P compact policy header has a quoted string that may contain one or more delimited tokens. According to the compact policy syntax ( `CP="` compact-policy `"` ) tokens should be enclosed within double quotes. However, in practice, Web sites often enclose compact policy tokens within single quotes. In order to be compatible with such web sites Netscape 7.0, like other user agents, deviates from the standard and does allow compact policy tokens to be enclosed in single quote. Why is the p3p specification strict about using double quotes?

Slash ( / or \ ):
According to RFC 2396, path segments in a URI path should be separated by forward slash ( "/" ). However, other user agents consider back slash ( "\" ) as a legal delimiter for path segments (probably to support Windows users) specified in the policy reference file. In order to support sites which use the back slash, Netscape 7.0 must not follow the specification (RFC) closely. The P3P specification should address such issues.

Unknown CP Tokens:
The P3P specification does not address how user agents should handle tokens that are not in the compact policy vocabulary. Netscape 7.0 considers a compact policy with unknown tokens as an invalid policy and treats it as though the policy collects personally identifiable information without users' consent. (Reasoning: Unknown token == unknown / unexplained behavior and therefore is potentially malicious). The specification should clarify how user agents should treat such tokens.

Compact policies could be specified in the content itself ( via html/xhtml meta tag ) rather than in the http headers. If cookies are set in the http headers, they might be processed before the compact policy from the content is received. In that case the information will not be present when needed to make decisions. Since there is no easy solution to this problem the specification should explicitly rule out compact policy in meta tag.

Privacy Icon:
In Netscape 7.0 the privacy icon appears, based on the settings, to indicate that action has been taken against a cookie encountered during that browsing session. The icon persists until it is clicked (taking the user to the Netscape 7.0 cookie manager). This may be confusing because the meaning of the icon is implicit and could mislead the user in distrusting a site with "harmless" cookies. Other user agents display a warning icon with respect to the site and not with respect to the session, so when the user leaves the site, the icon disappears. However, the cookie persists, and can be read (silently) by the site the next time the user visits that site.


Policy Syntax:
Requiring policies to be encoded in XML is an important and correct step towards the future of P3P. With XML encoding, policies are well-formed, well-understood, and easier to parse. Since XML is extensible, newer set of P3P elements and attributes can be defined to meet future needs.

Having multiple mechanisms to locate a file is a recipe for latency. To reduce latency P3P should focus on one efficient way to locate the policy reference file.

Bandwidth savings may be achieved by reducing the number of tags required to encode a policy. Also, by grouping tags into broader categories (PII tags, non-PII tags, etc.) and not being too granular, it is possible to reduce latency in processing policy files. Furthermore, to attain better compression, tag names can be shortened and lower cased, while maintaining meaningful semantics.

Since policies are cacheable, to attain better network performance, there needs to be a way to determine that cached policies are not obsolete.


In providing support for P3P, Netscape was able to take advantage of several existing browser components. This was largely due to the fact that P3P is an XML application; Netscape considers the fact that P3P is based on XML to be a key aspect of the standard, and its extensibility will be a great advantage as the standard evolves.