The www-p3p-policy mailing list gets a steady stream of messages from frustrated Webmasters who are trying to P3P-enable their Web sites and have run into difficulties. In
some cases these Webmasters do not understand fundamental concepts about how P3P
works. However, in many cases they actually have come pretty close to successfully P3P-
enabling their sites, but something is still not quite right. In this article I review some
troubleshooting strategies and list some of the frequent mistakes I have seen people make. For more detail about the entire process of P3P-enabling a Web site as well as examples of how to write policies that cover a variety of common Web site scenarios, check out my book, Web Privacy with P3P.
Test, Test, Test
The first thing you should do after P3P-enabling a Web site is to test it to make sure your
P3P implementation is correct and that it works. This should be done using the W3C's
P3P Validator and using at least one P3P user agent.
You can use the P3P Validator to check to make sure your P3P files are syntactically
correct and placed in the appropriate location on your Web server. If the validator reports
any errors, read them carefully, and work through them one at a time until you get a
successful validation report. Unfortunately, bugs are still being found in the validator
from time to time, so in some rare cases, valid sites do not validate, or errors are not
caught. Therefore it is a good idea to review the list of known bugs on the validator Web
site and check to see if any of them may be applicable to you. If you have configured
your Web server to issue P3P headers, you need to make sure that your server is actually
issuing those headers. The validator report will indicate whether or not the validator
received any valid P3P headers from your Web site.
Once you have validated your site, you should test it with at least one P3P user agent, and, if possible, with all P3P user agents that visitors to your site might be using. Right
now I would advise Webmasters test their P3P implementations using IE6, Netscape 7,
and the AT&T Privacy Bird. The first thing to test with all three of these P3P user agents is whether they can produce a human-readable summary of your
site's P3P policy. You can get that summary with Privacy Bird by clicking on the bird
and selecting Policy Summary from the About This Site menu. IE6 will produce a policy
summary if you select Privacy Report from the View Menu. In Netscape 7 you will need
to go to the View menu, select Page Info, go to the Privacy tab, and click on the
Besides verifying that all three user agents can produce a policy summary, you should
in XML. While we have found some rare cases where valid P3P policies are not properly
displayed, or not displayed at all by one or more P3P user agents, generally, if your
policy does not display properly, it indicates there is something wrong with your policy. If
you make changes to your policy, you may need to clear your browser's cache or the
Privacy Bird's cache before you see an updated policy summary.
If you have implemented compact policies on your Web site, you should also use IE6 and
Netscape 7 to see how your cookies are handled. You should be sure to test URLs that
result in your cookies being set in a third-party context (if your cookies are ever used in
such a context). Use the browsers' default (medium) settings to make sure your cookies
will not be blocked for most users. If IE6 displays an eye with a do-not-enter sign in the
lower right hand corner, then your cookies are being blocked or restricted. Click on the
eye for more information. Likewise, Netscape will display a cookie icon in the lower
right hand corner when cookies are being blocked, restricted, or flagged. When these
icons appear, it does not necessarily mean that your cookies are being blocked, so do read
the more detailed information to find out how the browser is handling each cookie.
Help! IE6 Is Blocking My Cookies -- Lorrie Cranor, author of Web Privacy with P3P offers an introduction to P3P
and an overview of what you need to do to prevent IE6 from blocking your cookies.
IE6 and Netscape 7 browsers may block, restrict, or flag cookies when they do not have a
compact policy (or there is a problem with the compact policy) or when the compact
policy indicates an "unsatisfactory" privacy practice. (Users may configure them to block
cookies under other conditions as well). Several tools will tell you whether or not your
compact policy will be considered satisfactory by IE6, including the IBM P3P Policy Editor and the P3P Compact Policy Translator.