Forum: Ruby on Rails URGENT -- How do I create a privacy policy with locomotive?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
2dd904ec5981c31e7bb7a5743a53caf8?d=identicon&s=25 Bruce Balmer (brucebalmer)
on 2005-12-05 17:08
(Received via mailing list)
Chaps (and chapettes):

I am under the gun here.  A site is meant to be tested today but it
failed the first test.  The problem is (or appears to be) that
because we don't have a privacy policy for our website, the
corporation won't permit access to the site (none of the images load,
amongst other problems).

I have no idea about privacy policies - how to I make that happen?

bruce
Eea7ad39737b0dbf3de38874e0a6c7d8?d=identicon&s=25 justin (Guest)
on 2005-12-05 18:18
(Received via mailing list)
Bruce Balmer wrote:

> Chaps (and chapettes):
>
> I am under the gun here.  A site is meant to be tested today but it
> failed the first test.  The problem is (or appears to be) that  because
> we don't have a privacy policy for our website, the  corporation won't
> permit access to the site (none of the images load,  amongst other
> problems).
>
> I have no idea about privacy policies - how to I make that happen?

If you google for "privacy policy" you will find plenty of examples (and
  some companies offering support for constructing privacy policies).

Sounds as if you have a previously-unidentified stakeholder. Who is
going to accept or reject the privacy policy, and what are their
criteria?

Finally, what has this got to do with Locomotive?
2dd904ec5981c31e7bb7a5743a53caf8?d=identicon&s=25 Bruce Balmer (brucebalmer)
on 2005-12-05 18:51
(Received via mailing list)
Justin:

Thanks for the reply.  I would have thought this was a common
problem.  Here is the scenario.

I created a site for a corporate client to vote on some internal
matter but the site is hosted by me externally for reasons to boring
to go into.

The company insist on using IE 6

My site won't load and it turns out (I think) that it is because I
don't have a privacy policy and IE 6 insists on one.  If that is
true, everyone should be having this problem.

Now we don't want to maintain any data except two votes, but we do
have to keep an ID number for each person who voted to make sure they
don't vote twice.

So my privacy policy is, in truth, we are going to keep your two
votes linked to your id and do so for about 5 days then throw the
whole lot away.  We don't want your email, your credit card or your
inside leg measurement EVER.

I have another site that does not use cookies and my client can
access that one no problem, so I believe for this and other reasons
that this is a cookie IE 6 thing.

I thought perhaps that locomotive using lighttpd might require me to
put something somewhere but it appears that what I really need to do
(I think) is to just add the compact privacy policy   "CN= whatever"
to my headers.

How is that done?

Finally - some late breaking news (from my client, just in while
typing this email) is that having set his IE 6 security level to
accept all cookies from all sites, he still cannot view my site.
Does this change the situation?

bruce
Accad816054fc1b2fa7dae2a2fce5266?d=identicon&s=25 cuong.tran (Guest)
on 2005-12-05 19:40
(Received via mailing list)
Talk to the stake holders in your corporation instead of asking
strangers :)
90a73d9875462aaa9fab2feffafbffe7?d=identicon&s=25 ben (Guest)
on 2005-12-05 19:56
(Received via mailing list)
On Mon, Dec 05, 2005, Bruce Balmer wrote:
> Chaps (and chapettes):
>
> I am under the gun here.  A site is meant to be tested today but it
> failed the first test.  The problem is (or appears to be) that
> because we don't have a privacy policy for our website, the
> corporation won't permit access to the site (none of the images load,
> amongst other problems).
>
> I have no idea about privacy policies - how to I make that happen?

I'm pretty sure you're confusing terms here.  A privacy policy is a
document that describes how your application is going to use customer
data.  It's only meaningful to people.

It sounds like your issue is technical.  If images aren't loading, it
has absolutely nothing to do with a privacy policy.  You need to
investigate why those images aren't loading.  Try to take the URL of one
of them, load it in a browser, and see why it won't load.

Just for kicks, if the url is http:// and not https://, switch it to
https:// and see if it loads.  From the information you've given, it
sounds like there might be a chance that there's a ridiculous firewall
that's blocking non-https access.

It also might be that said firewall is blocking https access with
self-signed keys, in which case you'll need to get a key from a
recognized CA.

Let us know what you find out :)

Ben
Accad816054fc1b2fa7dae2a2fce5266?d=identicon&s=25 cuong.tran (Guest)
on 2005-12-05 20:00
(Received via mailing list)
Is this site by any chance SSL enabled?
2dd904ec5981c31e7bb7a5743a53caf8?d=identicon&s=25 Bruce Balmer (brucebalmer)
on 2005-12-05 20:13
(Received via mailing list)
OK. Let's put my question on hold. For my particular purpose it would
be as effective to simple not put cookies on the client's computer.
BUT HOW DO I STOP THAT FROM HAPPENING?

I have removed all session variables from my code but rails is still
depositing a cookie.  Why? And more importantly, how do I stop it?

bruce
90a73d9875462aaa9fab2feffafbffe7?d=identicon&s=25 ben (Guest)
on 2005-12-05 20:29
(Received via mailing list)
On Mon, Dec 05, 2005, Bruce Balmer wrote:
> I thought perhaps that locomotive using lighttpd might require me to
> put something somewhere but it appears that what I really need to do
> (I think) is to just add the compact privacy policy   "CN= whatever"
> to my headers.

I'm now almost certain this is a security certificate thing.  CN is the
'common name' field of an https certificate, where you define the name
of the company that owns the cert.  It sounds like something is
misconfigured, or that you're using a self-signed cert.

I don't think locomotive supports https, but I could be wrong.  Others
might know better than I do.  That could be your entire problem.

Ben
2dd904ec5981c31e7bb7a5743a53caf8?d=identicon&s=25 Bruce Balmer (brucebalmer)
on 2005-12-05 20:41
(Received via mailing list)
I have the option of just removing all cookies from this simple app
and would like to do that.  How?

Also, I believe it is to do with cookies. I am on mac osx Tiger.  I
loaded a copy of MSIE 5.0 for my mac and it would not show me any
graphics.  I then dropped my security level in the internet zones
area and voila, graphics.  Strangely, even after putting it back up
and deleting my cookie, I cannot prevent the graphics from appearing.

So it looks like a cookies thing even if it ought to be a graphics
thing.  Anyone seen this happen before?

bruce

PS. MS documentation suggests that IE 6.0 will not accept any cookies
without a privacy policy. Is that true?
C319ec7828874b714f89fdb2200de905?d=identicon&s=25 ben.myles (Guest)
on 2005-12-05 20:58
(Received via mailing list)
I think he may be referring to a 'compact privacy policy'.

I found this with a quick Google search:

http://www.sitepoint.com/article/p3p-cookies-ie6/2

Also, it looks like you can generate a policy here:

http://p3p.privacycouncil.com/public/publicCPGen.jsp

However, at the time of posting that site seems to be unavailable.

Ben
2dd904ec5981c31e7bb7a5743a53caf8?d=identicon&s=25 Bruce Balmer (brucebalmer)
on 2005-12-05 21:55
(Received via mailing list)
Ben:

Thanks a bunch. This could be the thing I need. Meantime, I have
found out how to disable sending cookies but AMAZINGLY (or not) my
site is still not working. So perhaps it was cookies +something
else.  Site is super-simple.  Only a little javascript.

I'm going to let everyone know the solution when I find it because
this is bound to happen to other people.

Bruce
Eea7ad39737b0dbf3de38874e0a6c7d8?d=identicon&s=25 justin (Guest)
on 2005-12-05 23:25
(Received via mailing list)
Ben Myles wrote:

> I think he may be referring to a 'compact privacy policy'.
>
> I found this with a quick Google search:
>
> http://www.sitepoint.com/article/p3p-cookies-ie6/2

(worth going back to Page 1 and reading the whole article)

This is fascinating - does it really apply to session cookies?
If so, why aren't all Rails (and most J2EE, and many other) sites
suffering from it?

> Also, it looks like you can generate a policy here:
>
> http://p3p.privacycouncil.com/public/publicCPGen.jsp
>
> However, at the time of posting that site seems to be unavailable.

Here's a page with more resources:

   http://www.w3.org/P3P/usep3p.html

Microsoft's explanation of IE6 settings is here:

   http://support.microsoft.com/kb/q283185/

and there's a practical article here:

   http://www.duxcw.com/faq/webmastr/privhttp.htm

with associated human-readable privacy statement here:

   http://www.duxcw.com/_include/privincl.htm

Bruce - sorry I doubted your assumption that this was a technical thing.

Reduce this kind of risk in future by doing end-to-end testing of a
representative slice of your application, on the intended technology
(i.e., in this case, from Rails at the external host through to IE6 in
the end user environment), as early as possible in a project.

For now, agree with your customer that this is an aspect that needs
fixing, but also agree a work-around that allows testing of
functionality to continue - even if this means using a server on the
internal network.

I suspect that the images aspect is something different, but I'm not
sure.

Sorry I don't have much time to look into this (I was away from work ill
today, and have some catching up to do)... but I'll google some more and
flag anything that looks useful.

regards

   Justin
Eea7ad39737b0dbf3de38874e0a6c7d8?d=identicon&s=25 justin (Guest)
on 2005-12-06 01:39
(Received via mailing list)
Bruce Balmer wrote:

> Also, I believe it is to do with cookies. I am on mac osx Tiger.  I
> loaded a copy of MSIE 5.0 for my mac and it would not show me any
> graphics.  I then dropped my security level in the internet zones  area
> and voila, graphics.  Strangely, even after putting it back up  and
> deleting my cookie, I cannot prevent the graphics from appearing.

Perhaps it was just reusing graphics that were already in your browser
cache?

regards

   Justin
Df98d20f34ca453f63763fbf8b368a12?d=identicon&s=25 matt (Guest)
on 2005-12-07 09:01
(Received via mailing list)
On Mon, Dec 05, 2005 at 12:12:46PM -0700, Bruce Balmer wrote:
> OK. Let's put my question on hold. For my particular purpose it would
> be as effective to simple not put cookies on the client's computer.
> BUT HOW DO I STOP THAT FROM HAPPENING?
>
> I have removed all session variables from my code but rails is still
> depositing a cookie.  Why? And more importantly, how do I stop it?

Removing the use of session variables is not sufficient to prevent rails
from attempting to set a _session_id cookie. Read the "Easier session
management" section of
http://documentation.rubyonrails.com/release_notes/rc2.html

Unfortunately if the instructions there don't work you may be running
into this
bug: http://dev.rubyonrails.org/ticket/2914
2dd904ec5981c31e7bb7a5743a53caf8?d=identicon&s=25 Bruce Balmer (brucebalmer)
on 2005-12-07 15:17
(Received via mailing list)
Just a quick thank you to all the people who offered assistance.

It turns out that my question was the result of a strange
coincidence, a false conclusion and some less than honest MS docs.

I posted my final conclusions and success to the mailing list in case
it might help anyone else avoid the 12+ hours of misery I just
experienced chasing my tale.

In brief - textmate will let you generate a version 1.0 xhmtl
document. If you do that, something about the header code will
prevent (or not allow) MSIE in displaying images.  I don't understand
what or why, but the fix is simple. Watch out for that particular
header text.

If someone were kind enough to tell me how to post that info to the
texmate boys (what is the right forum, format?  I'd be happy to do
that and make an already great product better.

bruce
7077206baf3a50094dcdbf81c46a0e08?d=identicon&s=25 hypsometry (Guest)
on 2005-12-07 15:21
(Received via mailing list)
On 12/7/05, Bruce Balmer <brucebalmer@mac.com> wrote:
> If someone were kind enough to tell me how to post that info to the
> texmate boys (what is the right forum, format?  I'd be happy to do
> that and make an already great product better.

The list:

http://lists.macromates.com/mailman/listinfo/textmate

Also see this page on how to report TextMate bugs:

http://macromates.com/wiki/pmwiki?n=Main.BugReporting

--
Chris Boone

http://hypsometry.com/  :  website edification
http://uvlist.org/  :  free classifieds for the Upper Valley
This topic is locked and can not be replied to.