P3P set header for IE8 doesn't seem to work

Question

P3P set header for IE8 doesn't seem to work

2.8k Views Asked by coderman At 11 February 2015 at 02:47

The below P3P setHeader code is present in my CASresponse jsp but doesn't seem to work,

response.setHeader("P3P","policyref=\"http://sso.mydomain.net/w3c/p3p.xml\", 
CP=\"CAO IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");

Am I missing something here? I am not able to get my third party cookies in IE8.

Is policref required in the header? Should i set a p3p policy for my domain?

Since its a CAS request should i set it when all requests come into CAS?? Say i have entryFilter.java should i set the P3P header there?? Or after the cookie gets created.

I am not able to retain the cookies when IE does a 302 redirect to my serviceUrl.

Original Q&A

There are 3 best solutions below

**Master Slave** · Answer 1 · 2015-02-13T22:49:05.263000

The short answer first :)

you can add the header simply as

response.setHeader("P3P", "CP=\"CAO IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");

but as you need the header on all the resources, better go for the filter

public class P3PFilter implements Filter {

    public void destroy() {
    }

    public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain) throws IOException, ServletException {
        HttpServletResponse resp = (HttpServletResponse) res;
        resp.addHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
        filterChain.doFilter(req, resp);
    }

    public void init(FilterConfig arg0) throws ServletException {
    }
}

the long answer

I was suffering from the same issue a while back. Probably just like you, I've did my homework and developed a fair understanding of what P3P policy is and how it is meant to be used. What I was referencing at a time are

Official links

http://www.w3.org/P3P/

http://p3ptoolbox.com/guide/

Notable blogs

http://www.marco.org/2007/04/27/p3p-sucks-how-to-get-frame-cookies-unblocked-in-ie6

http://www.techrepublic.com/blog/software-engineer/craft-a-p3p-policy-to-make-ie-behave/

Notable SO questions

Cookie blocked/not saved in IFRAME in Internet Explorer

P3P Policy not working to allow 3rd party cookies in IE

despite all this I was still failing to make it work properly. What I was failing to realize, and what I eventually learned with the help of this amazing book is that, quote

in order to set third-party cookies for Internet Explorer users (with default security settings), you need to return a special P3P HTTP header with your resources that declares how your service intends to employ user data. This header needs to be returned with ALL HTTP responses for your resources, not just those that set cookies. This means static resources, AJAX endpoints, iframes—everything.

I suspect that this could be your issue as well, the P3P policy I use is almost exactly the same as yours, so you're not getting denied over an invalid policy.

I set my header without a URL to a p3p policy, as said in a techrepublic blog

IE does not compare the compact policy to the full-format policy, and the full-format policy is not needed

and this has proven true in my tests. This would mean that you can add the header simply as

response.setHeader("P3P", "CP=\"CAO IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");

However, as you need it in all the response better write a filter something like

public class P3PFilter implements Filter {

    public void destroy() {
    }

    public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain) throws IOException, ServletException {
        HttpServletResponse resp = (HttpServletResponse) res;
        resp.addHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
        filterChain.doFilter(req, resp);
    }

    public void init(FilterConfig arg0) throws ServletException {
    }
}

and applied a filter to all requests.

<filter>
    <filter-name>P3P Filter</filter-name>
    <filter-class>your.package.P3PFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>P3P Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

**Naman** · Answer 2 · 2015-02-17T07:44:44.060000

May this helps,try modifying your code with this:

response.setHeader("P3P","CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'");

Also have a look at this:

https://msdn.microsoft.com/en-us/library/ms537343(v=vs.85).aspx#unsatisfactory_cookies

**Ranjitsinh** · Answer 3 · 2015-02-20T13:36:14.967000

Basically just write the filter like here http://www.muneebahmad.com/index.php/archives/56 and use the

response.addHeader("P3P", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi
CONi HIS OUR IND CNT\"");

then just map it to the URLs you wish to add this header or use /* for all.

OR

Here you will find almost similar question and accepted answer for the same with details sample code.

https://stackoverflow.com/questions/6121212/how-to-generate-and-deploy-p3p-privacy-policy-in-struts2-java

Hope it will help.!!

P3P set header for IE8 doesn't seem to work

There are 3 best solutions below

Related Questions in JSP

Related Questions in HEADER

Related Questions in CAS

Related Questions in P3P

Trending Questions

Popular # Hahtags

Popular Questions