What is the most broad P3P header that will work with IE?

Question

"Medium Security" in IE8 states that third-party cookies that save information that can be used to contact you without your explicit consent are blocked.

What is the most broad P3P header that means we do not collect such information, and will not be blocked by IE?

I want to skip the nasty details of the P3P policy, and just set the header that implies the least legal obligations. Its semantic should be:

we collect everything except information that can be used to contact you.

... without specifying anything else.

Note that most P3P headers are inclusive - if they're not present, you're not allowed to use the information for that purpose - so the P3P header I'm looking for should contain a lot of flags.

Answer 1

From my tests, any of these P3P attributes will prevent IE8 from saving a 3rd party cookie:

CON, TEL, PHY, ONL, FIN, GOV

CON

Information may be used to contact the individual, through a communications channel other than voice telephone, for the promotion of a product or service. This includes notifying visitors about updates to the Web site.

TEL

Information may be used to contact the individual via a voice telephone call for promotion of a product or service.

PHY

Information that allows an individual to be contacted or located in the physical world -- such as telephone number or address.

ONL

Information that allows an individual to be contacted or located on the Internet -- such as email. Often, this information is independent of the specific computer used to access the network. (See the category COM)

FIN

Information about an individual's finances including account status and activity information such as account balance, payment or overdraft history, and information about an individual's purchase or use of financial instruments including credit or debit card information.

So don't include them if you want IE8 not to block you. I found the following flags to be the most broad, legalese wise, while still functioning well with IE:

NON DSP LAW CUR ADM DEV TAI PSA PSD HIS OUR DEL IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE LOC IVD SAM IVA OTC

Answer 2

"I want to skip the nasty details of the P3P policy"

It is possible to set a P3P HTTP header without valid compact privacy policy attributes.

Facebook does this. Here is the P3P HTTP header from facebook.com:

P3P: CP="Facebook does not have a P3P policy. Learn why here: http://​fb.me/p3p"

Google does it too:

p3p: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

This is accepted by Internet Explorer. For example, IE's "high" privacy setting blocks all cookies from websites that do not have a compact privacy policy, but cookies accompanied by P3P non-policies like those above are not blocked.

If you implement such a P3P non-policy, be sure to include natural language that explains it is not a real P3P policy, avoid using words that are valid P3P tokens, and also link to the URL of a longer explanation or to your site's real privacy policy.

---

UPDATE: In 2012, Microsoft accused Google of bypassing user privacy settings because of this practice, and they added a "strict P3P validation" setting to IE 10 and 11. When enabled, it rejects cookies that are accompanied by P3P policies that contain undefined tokens. I believe the setting was disabled by default.

Microsoft finally gave up on P3P as of Windows 10. So for Edge (and IE 11 on Windows 10), a P3P policy has no bearing on cookie acceptance.

You can inspect the User-Agent request header in order to only set the P3P header on affected versions of IE.

Answer 3

The authoritative list is at MSDN . Search in that page for Unsatisfactory Cookie Tags.