What is the most broad P3P header that will work with IE?

Question

\"Medium Security\" in IE8 states that third-party cookies that save information that can be used to contact you without your explicit consent are blocked.

Answer 1

"I want to skip the nasty details of the P3P policy"

It is possible to set a P3P HTTP header without valid compact privacy policy attributes.

Facebook does this. Here is the P3P HTTP header from facebook.com:

P3P: CP="Facebook does not have a P3P policy. Learn why here: http://​fb.me/p3p"

Google does it too:

p3p: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

This is accepted by Internet Explorer. For example, IE's "high" privacy setting blocks all cookies from websites that do not have a compact privacy policy, but cookies accompanied by P3P non-policies like those above are not blocked.

If you implement such a P3P non-policy, be sure to include natural language that explains it is not a real P3P policy, avoid using words that are valid P3P tokens, and also link to the URL of a longer explanation or to your site's real privacy policy.

---

UPDATE: In 2012, Microsoft accused Google of bypassing user privacy settings because of this practice, and they added a "strict P3P validation" setting to IE 10 and 11. When enabled, it rejects cookies that are accompanied by P3P policies that contain undefined tokens. I believe the setting was disabled by default.

Microsoft finally gave up on P3P as of Windows 10. So for Edge (and IE 11 on Windows 10), a P3P policy has no bearing on cookie acceptance.

You can inspect the User-Agent request header in order to only set the P3P header on affected versions of IE.