Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Users
P3P headers
jesso2000 at earthlink
Dec 15, 2001, 8:49 PM
Post #1 of 16 (4780 views)
Permalink
I'm stumped and hoping someone might have already gone through
this and figured it out already. I need to make our site P3P compliant
and in order to do so for IE6 you need to include a compact policy in
the headers of all responses. I have added the following to httpd.conf
and it works great - except the header is NOT provided when there is
a query string at the end of the URL. For example, everything works
great if you request http://www.mysite.com/foo.cgi but the header is
NOT sent if you request http://www.mysite.com/foo.cgi?bar. Anyway
here is what I'm using in my httpd.conf:

Header append P3P "policyref=\"http://www.mysite.com/w3c/p3p.xml\",CP=\"NOI
DSP COR CURa ADMa DEVa TAIa OUR IND UNI COM NAV INT\""

I'd give my first born to the person who can tell me why it doesn't set
the CP header when there is a query string. Thanks...

jesso


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: P3P headers [ In reply to ]
joshua at slive
Dec 15, 2001, 8:58 PM
Post #2 of 16 (4752 views)
Permalink
On Sat, 15 Dec 2001 jesso2000@earthlink.net wrote:

> I'm stumped and hoping someone might have already gone through
> this and figured it out already. I need to make our site P3P compliant
> and in order to do so for IE6 you need to include a compact policy in
> the headers of all responses. I have added the following to httpd.conf
> and it works great - except the header is NOT provided when there is
> a query string at the end of the URL. For example, everything works
> great if you request http://www.mysite.com/foo.cgi but the header is
> NOT sent if you request http://www.mysite.com/foo.cgi?bar. Anyway
> here is what I'm using in my httpd.conf:
>
> Header append P3P "policyref=\"http://www.mysite.com/w3c/p3p.xml\",CP=\"NOI
> DSP COR CURa ADMa DEVa TAIa OUR IND UNI COM NAV INT\""
>

Very strange! What version of Apache? If it is 1.3.22, try backing up to
1.3.20 and see if that fixes the problem.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: P3P headers [ In reply to ]
jesso2000 at earthlink
Dec 15, 2001, 11:16 PM
Post #3 of 16 (4747 views)
Permalink
>Very strange! What version of Apache? If it is 1.3.22, try backing up to
>1.3.20 and see if that fixes the problem.

Thanks for your email. I'm actually still using 1.3.19 ...


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: P3P headers [ In reply to ]
joshua at slive
Dec 16, 2001, 9:44 AM
Post #4 of 16 (4754 views)
Permalink
> From: jesso2000@earthlink.net [mailto:jesso2000@earthlink.net]

> >Very strange! What version of Apache? If it is 1.3.22, try
> backing up to
> >1.3.20 and see if that fixes the problem.
>
> Thanks for your email. I'm actually still using 1.3.19 ...

I just tried to recreate this with a version very close to 1.3.19 and I
could not.

No offence intended, but my guess is that you have made a simple mistake in
your testing: not clearing the cache, not restarting the server, using the
wrong url, etc.

If you are really sure that you can recreate this consistently, please give
some more details of your setup.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: P3P headers [ In reply to ]
jesso2000 at earthlink
Dec 16, 2001, 9:51 AM
Post #5 of 16 (4748 views)
Permalink
>I just tried to recreate this with a version very close to 1.3.19 and I
>could not.
>
>No offence intended, but my guess is that you have made a simple mistake in
>your testing: not clearing the cache, not restarting the server, using the
>wrong url, etc.
>
>If you are really sure that you can recreate this consistently, please give
>some more details of your setup.

I have narrowed it down to a problem with using & in the query string.

These URLs all work fine and the header is appended:

http://www.adminder.com
http://www.adminder.com/c.cgi
http://www.adminder.com/c.cgi?foo
etc

However http://www.adminder.com/c.cgi?foo&bar or any other URL with
a & in the query string does not work because the header is NOT added.

Just request these URLs and view the headers. You will see that the P3P
header is not appended if you use a & in the query string. Remove the &
and the P3P header is appended properly.

Is this a bug in mod_headers or am I missing something here? Thanks.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: P3P headers [ In reply to ]
joshua at slive
Dec 16, 2001, 10:00 AM
Post #6 of 16 (4759 views)
Permalink
> -----Original Message-----
> From: jesso2000@earthlink.net [mailto:jesso2000@earthlink.net]

> I have narrowed it down to a problem with using & in the query string.
>
> These URLs all work fine and the header is appended:
>
> http://www.adminder.com
> http://www.adminder.com/c.cgi
> http://www.adminder.com/c.cgi?foo
> etc
>
> However http://www.adminder.com/c.cgi?foo&bar or any other URL with
> a & in the query string does not work because the header is NOT added.
>
> Just request these URLs and view the headers. You will see that the P3P
> header is not appended if you use a & in the query string. Remove the &
> and the P3P header is appended properly.

I just tried this on my system with a "&" and could not recreate the
problem.

I tried it on your box, and while I get the P3P header for the root site, I
do not get it when I request c.cgi, regardless of any query string. Where
in the httpd.conf did you place the Header directive? You should place it
in the main server context, outside any <directory> sections.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: P3P headers [ In reply to ]
joshua at slive
Dec 16, 2001, 10:02 AM
Post #7 of 16 (4749 views)
Permalink
> -----Original Message-----
> From: Joshua Slive [mailto:joshua@slive.ca]

> > -----Original Message-----
> > From: jesso2000@earthlink.net [mailto:jesso2000@earthlink.net]
>
> > I have narrowed it down to a problem with using & in the query string.
> >
> > These URLs all work fine and the header is appended:
> >
> > http://www.adminder.com
> > http://www.adminder.com/c.cgi
> > http://www.adminder.com/c.cgi?foo
>
> I tried it on your box, and while I get the P3P header for the
> root site, I
> do not get it when I request c.cgi, regardless of any query string.

Hmmm... I just noticed that your CGI script is return a 302 redirect. That
is probably the issue.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: P3P headers [ In reply to ]
jesso2000 at earthlink
Dec 16, 2001, 10:47 AM
Post #8 of 16 (4749 views)
Permalink
>I tried it on your box, and while I get the P3P header for the root site, I
>do not get it when I request c.cgi, regardless of any query string. Where
>in the httpd.conf did you place the Header directive? You should place it
>in the main server context, outside any <directory> sections.

Now I'm really getting confused - I get the P3P header on all URLs
unless it has a & in the query string. =(

>Hmmm... I just noticed that your CGI script is return a 302 redirect. That
>is probably the issue.

Do you have any idea how to fix this? I'm actually not so sure because
like I said myself and everyone has who tested it does get the P3P header
on any URL unless there is a & in the query string. See for yourself using
the w3.org validator:

http://validator.w3.org/p3p/20010928/p3p.pl?uri=http%3A%2F%2Fwww.adminder.com%2Fc.cgi%3Fadminder

Regardless, thanks so much for your time and help. If you have any
other ideas I'd love to hear them.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: P3P headers [ In reply to ]
joshua at slive
Dec 16, 2001, 11:08 AM
Post #9 of 16 (4747 views)
Permalink
> From: jesso2000@earthlink.net [mailto:jesso2000@earthlink.net]


> >Hmmm... I just noticed that your CGI script is return a 302
> redirect. That
> >is probably the issue.
>
> Do you have any idea how to fix this? I'm actually not so sure because
> like I said myself and everyone has who tested it does get the P3P header
> on any URL unless there is a & in the query string. See for yourself using
> the w3.org validator:
>
> http://validator.w3.org/p3p/20010928/p3p.pl?uri=http%3A%2F%2Fwww.a
> dminder.com%2Fc.cgi%3Fadminder
>

That's not a good test! The validator is most likely following the redirect
and grabbing the P3P header there. Whether that is the proper thing to do,
I don't know.

You should test this way:
telnet www.adminder.com 80
GET /c.cgi?adminder HTTP/1.0
Host: www.adminder.com[enter][enter]

(or if you have it lynx -head -dump
"http://www.adminder.com/c.cgi?adminder")

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: P3P headers [ In reply to ]
jesso2000 at earthlink
Dec 16, 2001, 11:18 AM
Post #10 of 16 (4748 views)
Permalink
>(or if you have it lynx -head -dump
>"http://www.adminder.com/c.cgi?adminder")

Thanks for the heads up on that, I didn't even think of that - I was
just relying on the w3 utility. Doh. Anyway, now I'm even more
confused. Check this out. If you do:

lynx -head -dump "http://www.adminder.com/contact.shtml"

It says that URL is 404 not found. But if you go to that URL in
your browser you will see it obviously exists. LOL


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: P3P headers [ In reply to ]
jesso2000 at earthlink
Dec 16, 2001, 11:19 AM
Post #11 of 16 (4756 views)
Permalink
In fact, lynx -head -dump says 404 not found for any page on the
adminder.com site other than the main adminder.com. This site
is setup as a virtual host ... any other ideas? Thanks.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: P3P headers [ In reply to ]
jesso2000 at earthlink
Dec 16, 2001, 11:19 AM
Post #12 of 16 (4751 views)
Permalink
Oh and I forgot to mention. There are other domains setup the except
same way as virtualhosts on the same box and they don't have this
weird 404 not found behavior when you do lynx -head -dump. ??


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: P3P headers [ In reply to ]
joshua at slive
Dec 16, 2001, 11:29 AM
Post #13 of 16 (4754 views)
Permalink
> From: jesso2000@earthlink.net [mailto:jesso2000@earthlink.net]
>
> lynx -head -dump "http://www.adminder.com/contact.shtml"
>
> It says that URL is 404 not found. But if you go to that URL in
> your browser you will see it obviously exists. LOL

I have no problem getting that URL with lynx.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: P3P headers [ In reply to ]
jesso2000 at earthlink
Dec 16, 2001, 11:32 AM
Post #14 of 16 (4751 views)
Permalink
>I have no problem getting that URL with lynx.

Hmm I did it from another box and it worked OK. I guess it doesn't
work right in a local setting. Anyway, ok, so at this point basically
it seems like it's just not working on the cgi scripts that redirect -
basically it doesn't work right if the response is 302. Hmm this is
a huge problem. I assume it doesn't append the header because it
assumes the page that it is redirecting to will set any necessary
headers, but we can't assume that. Any idea how to get around this?

Thanks a million for your time and help.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: P3P headers [ In reply to ]
joshua at slive
Dec 16, 2001, 12:03 PM
Post #15 of 16 (4752 views)
Permalink
> From: jesso2000@earthlink.net [mailto:jesso2000@earthlink.net]

> Hmm I did it from another box and it worked OK. I guess it doesn't
> work right in a local setting. Anyway, ok, so at this point basically
> it seems like it's just not working on the cgi scripts that redirect -
> basically it doesn't work right if the response is 302. Hmm this is
> a huge problem. I assume it doesn't append the header because it
> assumes the page that it is redirecting to will set any necessary
> headers, but we can't assume that. Any idea how to get around this?

I'm not an expert in this issue. I'm not sure if the fact that Header
doesn't add the header to redirects was a conscious design decision or a bug
or neither. You can try to get more info from the development list if you
want.

But my first question would be, why do you really need that? What
functionality is failing because you can't add headers to the redirect?

If the problem is only the cgi script, you can easily solve it by just
having your cgi script send the P3P header itself. (I haven't tested that,
but I think it should work.) Of course, this won't change other redirects.
For example, your server also does not send the P3P header for
trailing-slash redirects.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: P3P headers [ In reply to ]
jesso2000 at earthlink
Dec 16, 2001, 12:15 PM
Post #16 of 16 (4751 views)
Permalink
Hi Joshua,

>But my first question would be, why do you really need that? What
>functionality is failing because you can't add headers to the redirect?

We are redirecting to other sites we have no control over, who use
our cookies in a 3rd party setting.

>If the problem is only the cgi script, you can easily solve it by just
>having your cgi script send the P3P header itself. (I haven't tested that,
>but I think it should work.) Of course, this won't change other redirects.
>For example, your server also does not send the P3P header for

Actually I came up with something that seems to work great. Instead
of redirecting the way we were doing, we now output this:

print "Content-type: text/html\n\n";
print "<HTML><HEAD>\n";
print "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"0; URL=$redirect\">\n";
print "</HEAD></HTML>\n";

And it works great. Thanks so much for your help, it was your input
that helped us fix this problem we were having. You rock, thanks!


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal