Hi.
I need to make our site P3P compliant, and so far my head is spinning.
I've gone through tutorial after tutorial, and have downloaded the IBM
P3P editor, but I still have had no success. My site is
http://www.consortiuminfo.org and I already have the reference file
p3p.xml and the policy file in the "easily located directory" /w3c.
I've added the following to my httpd.conf file:

LoadModule headers_module     libexec/mod_headers.so

and 

AddModule mod_headers.c

but that hasn't worked either. I have  run my URL through the W3C's
validator, and got the following response:

***************************************************

Results of P3P validation
Target URI: http://www.consortiuminfo.org/w3c/


--------------------------------------------------------------------------------

Step 1: /w3c/p3p.xml Validation

URI: http://www.consortiuminfo.org/w3c/p3p.xml

Step 1-1: Access check

/w3c/p3p.xml can be retrieved.

Message: The content type of /w3c/p3p.xml is text/xml.

Step 1-2: Syntax check

/w3c/p3p.xml has no syntax errors.

Step 1-3: Policy URI check

/w3c/p3p.xml has some warnings or errors.

Error: The URI fragment identifier (#xxx) is necessary to specify a
POLICY element in a POLICIES element.

/w3c/p3p.xml does not specify P3P policy for
http://www.consortiuminfo.org/w3c/


--------------------------------------------------------------------------------

Step 2: HTTP Protocol Validation ( HTTP headers )

HTTP headers have no P3P: header.


--------------------------------------------------------------------------------

Step 3: HTML File Validation

HTML document has no P3P compliant link tags.

Message: No valid P3P compliant <link> element.


--------------------------------------------------------------------------------

Validator could not find valid policy reference file URI. Validation
aborted.


***************************************************

And when I check my headers I get:
***************************************************

HTTP Headers of:
[http://www.consortiuminfo.org/w3c/] 


--------------------------------------------------------------------------------

Connection: close
Date: Fri, 09 Aug 2002 15:05:05 GMT
Server: Apache/1.3.12 (Unix) PHP/4.0.1pl2 mod_perl/1.24
FrontPage/4.0.4.3 AuthMySQL/2.20 mod_ssl/2.6.4 OpenSSL/0.9.5a
Content-Type: text/html
Client-Date: Fri, 09 Aug 2002 15:05:05 GMT
Client-Response-Num: 1
Client-Transfer-Encoding: chunked

***************************************************

Please let me know:
1. What I'm doing wrong as far as the locations of files or what I'm
missing.

2. What I can do to fix the headers problem (what do I need in the
httpd.conf file?)

3. Whether or not I have to write a .htaccess file in a directory, and
if so, where do I put it and what should it say?

Additional INformation:

1. Server- Apache /1.3.12 FreeBSD/i386
2. I want to use one policy for all directories on the site.

Barryfreed, you are very, very close.  What your reference file is
missing is the name of the policy as it appears in your policy file. 
In my example below, the only change I have made to your reference
file is in the POLICY-REF element.  Note that I added #PrivacyPolicy
to the end of your URI.


 <META xmlns="http://www.w3.org/2001/09/P3Pv1">
 <POLICY-REFERENCES>

 <POLICY-REF about="/w3c/policy.xml#PrivacyPolicy">
  <INCLUDE>/cgi-bin/*</INCLUDE> 
  <INCLUDE>/htdocs/*</INCLUDE> 
  <EXCLUDE>/logs/</EXCLUDE> 
  </POLICY-REF>

  </POLICY-REFERENCES>
  </META>

Let's start with that change, and run it through the validator again.
Note that this is the preferred method for using P3P, and that you do
not need to adujust your headers, nor do you need to have <LINK> tags
in your HTML document.  You only need to use one method, and this is
the preferred method.

If the validator report additional errors at that time, simply post it
in a Clarification Request and I will respond quickly.

Also, if you decide that you want to use additional methods (HTTP
headers or <LINK> tags in your HTML) let me know, and I will add
information about that, as well.  However, you only need to use one
method, not all of the methods.

I will note here that in your HTML document your tags for P3P should
occur before the </HEAD> tag.  Currently, they appear after the
</HEAD> tag.

I hope this helps.  If you find any of the information unclear, please
do not hesitate to ask for clarification.


I found these documents helpful in finding this information:
W3C "Make Your Web Site P3P Compliant" 
http://www.w3.org/P3P/details.html

Softsteel "The Platform for Privacy Preferences Project (P3P)"
http://www.softsteel.co.uk/tutorials/P3P/

Search Terms: P3P tutorial

---

Request for Answer Clarification by barryfreed-ga on 09 Aug 2002 10:22 PDT

Okay, 
I changed the reference file exactly how you said, but I'm still
getting an error in validation:
************************************************************
Step 1-3: Policy URI check

/w3c/p3p.xml has no warnings or errors.

Message: P3P policy indicated at line 4 can be accessed. 


/w3c/p3p.xml does not specify P3P policy for
http://www.consortiuminfo.org/

************************************************************

I am using the AT&T privacy bird plugin to check to see if the policy
is working yet. Any new ideas?
Do I need a .p3p file that goes somewhere? is that what the error is
saying?

---

Clarification of Answer by snapanswer-ga on 09 Aug 2002 11:29 PDT

Can you clear you browser cache and exit you browser (close all
browser windows).  In Internet Explorer, you can clear your browser
cache by clicking Tools | Internet Options.  Under Temporary Internet
Files, click the "Delete Files" button.

Once you clear the cache, then close all of your browser windows and
try again.

I am asking you to do this because when I run the validator,
everything appears in order.  This is the result that I get.
-------------------------------
Step 1-3: Policy URI check

/w3c/p3p.xml has no warnings or errors.

Message: P3P policy indicated at line 4 can be accessed. 


P3P policy for http://www.consortiuminfo.org/ is
[http://www.consortiuminfo.org/w3c/policy.xml#PrivacyPolicy
-------------------------------

This leads me to believe that a file is being cached somewhere during
your test.  Frankly, your browser cache should not effect the W3C
validator, but it might effect your AT&T plug-in.  I'm just trying to
cover the bases.

Shall we give that a try.  Rest assured, this is a problem with a
solution, and we will find it.

Perfection!! I was pulling out my hair for two full days trying to
figure out why this wouldn't work, and now it's working perfectly!!!
Only problem now is that even though our content is p3p compliant,
we're using SuperStats as tracking/stats software, and they're
dropping a 3rd party cookie, which gets denied by most privacy
settings on IE. But, that's their problem and not mine!!!Now it's time
for me to give them a few questions...thanks so much for the quick
response and clarification. I will definitely use this service
again...hopefully sooner next time!

A quick little comment in hope to answer your other problem... the IE
filtering thing is because IE looks for a compact policy as opposed to
a full policy like you have at the moment. To add your compact policy
to the site, you have to add the P3P CP header to the start of each
sent page. So in your httpd.conf file (under the <VirtualHost> block
if you're using vhosts), put:

Header add P3P "CP=\"NOI DSP COR CURa ADMa DEVa OUR IND OTC\""

This is just an example policy - you'll have to create one according
to your site's policy. As far as I can tell, IE doesn't actually check
the rules of this policy, but just IF it exists... so you could say
that you're sending credit card details to 3rd parties and IE wouldn't
care :).

Hope that helps.