Netscape Communications introduced support for aspects of the W3C P3P specification in Netscape 7.0. Like other implementations, P3P in Netscape 7.0 focuses on privacy policy location and display, and cookie management via P3P compact policies. To implement these new features, Netscape leveraged facilities already present in the Netscape client, such as the XML parser, XSLT engine, and the XUL-based cookie manager. This paper describes the Netscape 7.0 P3P implementation and discusses some of the issues encountered by the Netscape development team in this development effort.
P3P in Netscape 7.0A P3P enabled web browser, such as Netscape 7.0, can inform web users about privacy policies of the web sites they visit, and allows users to make informed decisions before releasing any personal information. Netscape 7.0 introduces two P3P features: a P3P policy viewer and P3P compact policy-based cookie management. The policy viewer allows users to view a web site's published privacy policy and/or the privacy summary (based on the machine readable policy) that informs what data is collected, and how the data will be used by the web site. The compact policy-based cookie management feature provides a visual warning to the user when a web sites pass cookies which collect personally identifiable information without the user's explicit consent.
Technical Details
eXtensible Markup Language(XML)
A P3P enabled Web site encodes its data-collection and data-use practices
in a machine-readable (XML) format known as a P3P policy. When the user requests
for the Web site's privacy summary, the machine-readable policy (located
by the policy reference file) is loaded into the Netscape Gecko XML parser,
and is parsed in accordance to the XML specification. Policies
and the policy reference files that do not conform to the well-formdness
constraints are considered invalid and hence are not rendered. However,
policies and policy reference files that do not conform to XML schema
are considered valid since the XML parser in Gecko is not a validating parser.
The machine-readable policy is then transformed into a human-readable format
by using eXtensible Stylesheet Language Transformation (XSLT).
eXtensible Stylesheet Language Transformation (XSLT)
XSLT is a declarative language that extracts data from an XML document
and transforms it into a new data structure. The new data structure can
then be formatted to a desired output. In Netscape 7.0 the transformation
(from machine-readable to human-readable format) is accomplished by template
rules that map P3P elements to appropriate human-readable messages. These
messages are then compiled into an HTML document. The transformed HTML
document is rendered in the policy viewer window.
eXtensible User Interface Language (XUL)
XUL is an XML based language for describing the contents of browser
windows and dialogs. XUL is cross platform, can be styled, and is easily
localizable. Netscape 7.0 uses XUL to construct toolbars, buttons, trees,
menus, and dialog controls. P3P controls are also built on XUL and the user
can view the Web sites' published policy, privacy summary, and privacy options
by clicking on "Policy", "Summary", and "Options" buttons respectively.
These buttons are located in the "Privacy Tab" off of the "Page-Info" window.
Compact Policy Parser
The compact policy parser is called into play when a http response,
containing the policy, is received. The parser processes the policy and
deduces a consent that can be used to treat the cookies associated with
that policy.
P3P Preferences
This is a XUL-based dialog in which the user specifies special treatments for
cookies based on the sending sites' compact policy. In particular the user can
specicify under which compact-policy statements cookies are to be accepted,
rejected, downgraded, or flagged.
P3P Icon
This is a XUL icon appearing on the status line whenever a cookie has been given
special treatment based on the p3p preferences. For example, if a cookie has been
downgraded, flagged, or rejected because the combination of the compact policy
and the user's preferences requested such an action, the icon appears. Clicking
on this icon brings up a dialog which allows the user to get to the cookie manager
to see which cookies were affected. Once the user has seen the dialog, the
icon disappears and remains gone until another cookie is given such special
treatment.
Cookie Manager
This is a XUL-based dialog in which the user can view the cookies that have been
accepted and details about such cookies. In particular, this dialog will show
if any cookies in the current session have received special treatment due to the
combination of the sites compact policy and the users p3p preferences.
Platform Independence:
Because of the platform independence of XML, XSLT, and XUL, Netscape
was able to deliver an identical P3P implementation across Windows, Macintosh
(Classic and OS X), and Linux, with no additional development effort.
Quotes ( ' or "):
The P3P compact policy header has a quoted string that may contain one
or more delimited tokens. According to the compact policy syntax ( `CP="`
compact-policy `"` ) tokens should be enclosed within double quotes. However,
in practice, Web sites often enclose compact policy tokens within single
quotes. In order to be compatible with such web sites Netscape 7.0, like
other user agents, deviates from the standard and does allow compact policy
tokens to be enclosed in single quote. Why is the p3p specification strict
about using double quotes?
Slash ( / or \ ):
According to RFC 2396, path segments in a URI path should be separated
by forward slash ( "/" ). However, other user agents consider back slash
( "\" ) as a legal delimiter for path segments (probably to support Windows
users) specified in the policy reference file. In order to support sites
which use the back slash, Netscape 7.0 must not follow the specification
(RFC) closely. The P3P specification should address such issues.
Unknown CP Tokens:
The P3P specification does not address how user agents should handle tokens
that are not in the compact policy vocabulary. Netscape 7.0 considers a
compact policy with unknown tokens as an invalid policy and treats it as
though the policy collects personally identifiable information without
users' consent. (Reasoning: Unknown token == unknown / unexplained behavior
and therefore is potentially malicious). The specification should clarify
how user agents should treat such tokens.
HTML/XHTML Meta Tag:
Compact policies could be specified in the content itself ( via html/xhtml meta tag ) rather
than in the http headers. If cookies are set in the http headers, they might be processed
before the compact policy from the content is received. In that case the information
will not be present when needed to make decisions. Since there is no easy solution to
this problem the specification should explicitly rule out compact policy in meta tag.
Privacy Icon:
In Netscape 7.0 the privacy icon appears, based on the settings, to indicate
that action has been taken against a cookie encountered during that browsing
session. The icon persists until it is clicked (taking the user to the
Netscape 7.0 cookie manager). This may be confusing because the meaning
of the icon is implicit and could mislead the user in distrusting a site
with "harmless" cookies. Other user agents display a warning icon with respect
to the site and not with respect to the session, so when the user leaves
the site, the icon disappears. However, the cookie persists, and can be
read (silently) by the site the next time the user visits that site.
Policy Syntax:
Requiring policies to be encoded in XML is an important and correct step
towards the future of P3P. With XML encoding, policies are well-formed,
well-understood, and easier to parse. Since XML is extensible, newer
set of P3P elements and attributes can be defined to meet future needs.
Latency:
Having multiple mechanisms to locate a file is a recipe for latency. To
reduce latency P3P should focus on one efficient way to locate the policy
reference file.
Tags:
Bandwidth savings may be achieved by reducing the number of tags required
to encode a policy. Also, by grouping tags into broader categories (PII
tags, non-PII tags, etc.) and not being too granular, it is possible to
reduce latency in processing policy files. Furthermore, to attain better
compression, tag names can be shortened and lower cased, while maintaining
meaningful semantics.
Caching:
Since policies are cacheable, to attain better network performance, there
needs to be a way to determine that cached policies are not obsolete.
In providing support for P3P, Netscape was able to take advantage of several existing browser components. This was largely due to the fact that P3P is an XML application; Netscape considers the fact that P3P is based on XML to be a key aspect of the standard, and its extensibility will be a great advantage as the standard evolves.