The P3P Validator Document

This document explains how the P3P validator checks the web page. The validator users are supposed to read this document and understand what was validated about their web site/page.

1. What is "Integrated Validation"?

To use this function, the user must give the URI of a web page (which is called target URI in this document). Then, this function checks if the target URI (web page) is compliant with P3P, using the following procedure.

1.1 Get Policy Refernece File URI

P3P provides three following methods for the client to know the Policy Reference File (PRF) URI:
  1. Well Known Location File
  2. HTTP Header
  3. HTML link tag
The validator tries all three methods and get to know the PRF URI.
Well Known Location
Well Known Location is defined as /w3c/p3p.xml on the same site of the target URI. The validator sends HTTP GET request to well known location URI and checks if the PRF exists.
HTTP Header
The PRF URI can be specified with HTTP Header. The validator sends the HTTP GET request to the target URI and checks if the the response includes the following directive:
P3P: policyref="some uri"
Also, the validator checks the compact P3P policy.
HTML link tag
When the target URI is an HTML document, the PRF URI can be specified with HTML link tag. The validator retrieves the target URI's document and checks if it includes the following directive:
<link rel="P3Pv1" href="some uri">

1.2 Policy Reference File Check

After getting the PRF URIs, the validator checks if the PRF at the each URI is valid with following steps:
Access Check
Check if PRF can be accessed from the internet, using HTTP GET method
Syntax Check
Check if the syntax of PRF is correct using following sub steps: *1
URI Check
This steps includes folloiwng two substeps:
Determining Policy URI
Evaluate each POLICY-REF element in PRF from the top to down, and find the Policy URI associated with the target URI.
Non-ambiguity Check
If more than one PRFs cover the target URI and specifies the Policy URI, it is an error. Note that when different methods specify the same PRF URI, it is OK (e.g. If both HTTP header and HTML link tag specify /policyref.xml, it is OK).

*1 If P3P policy is embedded in PRF as an inline policy, its syntax is also checked at the same time.

*2 This check is done by using XML Schema Validator.

1.3 Policy File Checking

After getting the Policy URI, the validator validates it with following steps:
Access Check
Check if Policy URI can be accessed from the internet, using HTTP GET method
Syntax Check
Check if the syntax of Policy is correct using following sub steps:
Vocabulary Check
Check if the P3P data elements in <DATA ref="..."> directive are included in P3P Base Data Schema. Note that the validator does not recognize the user's own data schema, and all data elements belonging to the user's data schema will be warned.
Link Check
Check if URI references included in Policy are accessible. It includes:

2 What is "Policy File Validation"?

This function does the same thing as 1.3. The difference is that the user in the firewall can check his policy file with File Upload button.

When File Upload feature is used and the policy file includes relative links in it, the Link Check will be failed.

3. What the validator does NOT do

Semantics Checking
In general, the validator checks syntax only. Therefore, it NOT (or can not) check whether the web page owner obeys P3P policy. For example:

5. Changes

Jan 12, 2001
The description about the compact policy header was added.
Oct 26, 2000
This document was created.

Jan 12, 2001. Yuichi Koike (koike@ay.jp.nec.com)