0
votes

I've researched this subject alot. But one thing I don't get if it is possible to set a P3P tag in plain HTML? Just before the first -tag.

Im trying to get an iFrame-login solution to work in IE.

I have just found code example in PHP, ASP.NET and so on but not in plain HTLM, if that is even possible.

1

1 Answers

1
votes

I've encountered the same issue recently trying to serve static HTML from AWS S3.

Unfortunately, it is not possible to set Compact Policies without sending server-side response headers.

This means that you cannot set a Compact Policy on staticly-served HTML content.

Section 2.4.2 of the P3P deployment document explicitly mentions this (emphasis mine):

  1. There is only one mechanism for sites to serve compact policies; they are sent as HTTP response headers. Thus, if a site is unable or unwilling to add HTTP response headers, compact policies cannot be used.

  2. The HTML element META with the http-equiv attribute is sometimes used to simulate the effect of adding HTTP headers to HTML content. ... the http-equiv mechanism should not be used to send a P3P compact policy header, as this information may not be available to a client until after it has processed the cookies in the response.

The <meta http-equiv='p3p' content='CP="..."'/> and <link rel="P3Pv1" href="..."> elements cannot set the Compact Policy either - it must be a response header.

The bottom line is this:

Are you able to send the p3p response header?

  • Yes: Add the header with the appropriate policy and you are done.

  • No: You are out of luck and are unable to set a Compact Policy.

For Amazon S3:

The p3p header is considered a user-defined key so it can only be added as x-amz-meta-p3p.

Since x-amz-meta-p3p != p3p the browser will not accept it as the correct header.

Therefore you cannot set a Compact Policy on AWS S3 content.