How to specify P3P (Privacy Policy) for Confluence?

Our authentication to Confluence is handled by our own SSO by using a session cookie. The SSO also control the authentication to the core system(s).

Now we're having an issue with cookies not being enforced properly with Internet Explorer, and we've identified that the problem is due to a lacking Privacy Policy (P3P). We are not implementing this for the SSO and Core systems (all running on IIS). But the story is somewhat different for Confluence.

Now, I've opened a question on Stackoverflow for this issue as it wasn't as easy as I first imagined: http://stackoverflow.com/questions/19855946/turkey-urlrewrite-filter-on-tomcat-will-not-set-p3p

I appreciate all the help I can get on this issue.

3 answers

1 accepted

I had a second look at the web.xml file for the urlrewrite entry. I found that Atlassian had added specific settings for the filter to kick in. So "my" rules never actually kicked in. I changed these to /* in server.xml:

<filter-mapping>
    <filter-name>UrlRewriteFilter</filter-name>
    <!--<url-pattern>/s/*</url-pattern>-->
    <url-pattern>/*</url-pattern>
</filter-mapping>

and added the following to urlrewrite.xml:

<rule enabled="true">
     <from>.*</from>
     <set type="response-header" name="p3p">CP="NON DSP COR ADM OUR STP"</set>
 </rule>

Now I have to figure out Atlassians intention with the /s/* (I know what they do, but I do not know why they added this. Test installation seems to run just fine).

Some more googling told me to implement this as follows:

1. For each directory that you want your Compact Policy header to be available from, you must create a file called '.htaccess' (without quotes). Note that the period at the beginning of the filename makes it invisible on your webserver. To view hidden files in an FTP session, add '-al' (without quotes) to the list command (for example: ls -al). Also note that it may be difficult to create a file named '.htaccess' on Windows systems. Instead, name the file 'htaccess', upload it and rename it to '.htaccess'. The .htaccess file will affect the directory it is placed in, and any subdirectories contained in it. Therefore, to apply you Compact Policy to an entire website, place an .htaccess file in your account's root directory.

2. The .htaccess file must contain a line which adds your Compact Policy header. The line should look like:
Header append P3P 'CP="[compact policy here]"'
Note the following:
The command is: Header append
P3P is the header name.
The rest is the header value.
Note the use of quotes in the above example. Single-quotes surround the entire
header value. Double-quotes surround the actual Compact Policy.

This did not work with me. When I edited web.xml the server failed to reastart

Note that "my" version is 4.1.5.

If Confluence refuse to start it might be because there is some sort of spelling mistake in the change you did, either in server.xml or in urlrewrite.xml.

My version is 5.1 and I did not edit the server.xml, I edited web.xml

I will try to edit the server.xml and see what happens

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Jul 10, 2018 in Confluence

We want to see the templates you've created in Confluence!

Hi Community, Jessica here from the Confluence Product Marketing team!  July’s community challenge is all about sharing pictures  — and as an extension of our first post on what ...

866 views 23 12
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you