I've researched this subject alot. But one thing I don't get if it is possible to set a P3P tag in plain HTML? Just before the first -tag.
Im trying to get an iFrame-login solution to work in IE.
I have just found code example in PHP, ASP.NET and so on but not in plain HTLM, if that is even possible.
I've encountered the same issue recently trying to serve static HTML from AWS S3.
Unfortunately, it is not possible to set Compact Policies without sending server-side response headers.
This means that you cannot set a Compact Policy on staticly-served HTML content.
Section 2.4.2 of the P3P deployment document explicitly mentions this (emphasis mine):
There is only one mechanism for sites to serve compact policies; they are sent as HTTP response headers. Thus, if a site is unable or unwilling to add HTTP response headers, compact policies cannot be used.
The HTML element META with the http-equiv attribute is sometimes used to simulate the effect of adding HTTP headers to HTML content. ... the http-equiv mechanism should not be used to send a P3P compact policy header, as this information may not be available to a client until after it has processed the cookies in the response.
The <meta http-equiv='p3p' content='CP="..."'/> and <link rel="P3Pv1" href="..."> elements cannot set the Compact Policy either - it must be a response header.
The bottom line is this:
Are you able to send the p3p response header?
Yes: Add the header with the appropriate policy and you are done.
No: You are out of luck and are unable to set a Compact Policy.
The p3p header is considered a user-defined key so it can only be added as x-amz-meta-p3p.
Since x-amz-meta-p3p != p3p the browser will not accept it as the correct header.
Therefore you cannot set a Compact Policy on AWS S3 content.
