I finally made the site P3P compliant, and it was a bit of a hassle:
i created an html privacy page, handcrafted the required xml policy reference and policy files and added the meta element to them on all my pages. it would validate okay, but IE peristed on blocking some files and issuing a privacy report warning.
the only thing i hadn’t done was to implement the ‘compact’ http header, which is optional in terms of P3P, so I supposed IE must be looking for that. but then, i thought, that couldnt be right – hosted static sites – of which there are more than a few – couldnt possibly generate that header (without access to the web server’s admin), and if IE was basing its checks on that, then…
well, wouldnt be the first time a browser vendor ‘interpreted’ the standard for their own commericial ends; and the msdn doco says, “Internet Explorer 6 uses these compact policies to filter cookies based on a user’s privacy preferences“.
hmmm. without either a header, a meta element, or a ‘well known location’ – /w3c/p3p.xml – (all of which are optional in the spec) there’s no way for a user agent to determine the presence of a P3P policy or not. and that’s one of the problems i have with the spec – to be be successfully implemented, to enable the implementation of the spec, specific requirements surely have to be placed on user agents, and here it falls downs. for the most part the P3P spec is only five things: an xml locator file, the xml policy file, a ‘well-known location’ for the previous two, an http header extension (the so called ‘compact policy’), or an xhtml extension (e.g. meta element). the msdn link above suggests that the first four are required to stop IE blocking and issuing a privacy report warning.
however, after some experimenting setting cookies both with and without the header, it turns out i hadn’t added the optional
