"Medium Security" in IE8 states that
third-party cookies that save information that can be used to contact you without your explicit consent están bloqueados.
What is the most broad P3P header that means we do not collect such information, and will not be blocked by IE?
I want to skip the nasty details of the P3P policy, and just set the header that implies the least legal obligations. Its semantic should be:
we collect everything except information that can be used to contact you.
... without specifying anything else.
Note that most P3P headers are inclusive - if they're not present, you're not allowed to use the information for that purpose - so the P3P header I'm looking for should contain a lot of flags.
preguntado el 08 de noviembre de 11 a las 09:11
"I want to skip the nasty details of the P3P policy"
Es posible establecer un
Facebook does this. Here is the
P3P HTTP header from facebook.com:
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Google does it too:
p3p: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
UPDATE: In 2012, Microsoft accused Google of bypassing user privacy settings because of this practice, and they added a "strict P3P validation" setting to IE 10 and 11. When enabled, it rejects cookies that are accompanied by P3P policies that contain undefined tokens. I believe the setting was disabled by default.
Microsoft finally gave up on P3P as of Windows 10. So for Edge (and IE 11 on Windows 10), a P3P policy has no bearing on cookie acceptance.
Puede inspeccionar el
User-Agent request header in order to only set the
P3P header on affected versions of IE.
From my tests, any of these P3P attributes will prevent IE8 from saving a 3rd party cookie:
CON, TEL, PHY, ONL, FIN, GOV
Information may be used to contact the individual, through a communications channel other than voice telephone, for the promotion of a product or service. This includes notifying visitors about updates to the Web site.
Information may be used to contact the individual via a voice telephone call for promotion of a product or service.
Information that allows an individual to be contacted or located in the physical world -- such as telephone number or address.
Information that allows an individual to be contacted or located on the Internet -- such as email. Often, this information is independent of the specific computer used to access the network. (See the category COM)
Information about an individual's finances including account status and activity information such as account balance, payment or overdraft history, and information about an individual's purchase or use of financial instruments including credit or debit card information.
So don't include them if you want IE8 not to block you. I found the following flags to be the most broad, legalese wise, while still functioning well with IE:
NON DSP LAW CUR ADM DEV TAI PSA PSD HIS OUR DEL IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE LOC IVD SAM IVA OTC