P3P Policy Header in .htaccess file

bbolte · March 16, 2009, 10:11pm

I’m trying to set a P3P Policy header in the .htaccess file and not having much success. Here’s the scenario: 2 web servers, 2 domains. The main site is at server 1, another set of code is at server 2. for some people, IE is blocking sessions/cookies, hence attempting this. And before you ask, no the sites can’t be run on the same server. Here’s what I put in the .htaccess:


<IfModule mod_headers.c>
Header set P3P "policyref=\\"/p3p/p3p.xml\\", CP=\\"NOI DSP COR NID CUR ADM DEV OUR BUS\\""
</IfModule>

I’ve tried different urls as above including the full URL. I checked with the server admin and mod_header is available and enabled. When checking site 1 with IE, I’m still getting the Evil Eye icon in the status bar, regardless what I have in the header set. Can anyone give me pointers?

One question, does the this need to be on the server 1 or 2?

Dan_Grossman · March 17, 2009, 2:22am

Wouldn’t you want it on both servers?

Have you confirmed the header you want is being sent? Telnet in to the server on port 80, send an HTTP request, and look at the headers you’re getting back.

bbolte · March 17, 2009, 4:28pm

got me? I haven’t had a chance to get back to this, I’ll have to give the telnet thing a try, thanks for the tip.

bbolte · March 17, 2009, 6:53pm

ok, I’m doing this directly on the page at server 2:

Header('P3P: href="/olp/jlc2/w3c/p3p.xml" CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"');

loading the page directly with IE and watching Fiddler to see what headers are coming back and I don’t see it. Fiddler actually tells me “No P3P Header is present.” This works on my local dev box though. hmmmm. Why wouldn’t header work? I don’t think I’m outputting anything before this somewhere. Server 2 is running SSL for the site, that wouldn’t be blocking it would it?

bbolte · March 17, 2009, 6:55pm

aaah, SSL is blocking it! when I go straight to the page without the SSL, I see the p3p header. weird!

bbolte · March 17, 2009, 9:16pm

More on the continuing drama…

The P3P validator sees it fine, curl sees it fine. IE and Fiddler are still balking at it.

oh, and Firefox sees it fine also…

bbolte · March 17, 2009, 9:23pm

thought I would add, here’s what my .htaccess file looks like


<IfModule mod_headers.c>
Header set P3P: 'cp=ALL DSP COR CURa ADMa DEVa CONa SAMa BUS"
Header append P3P: 'policyref="/w3c/p3p.xml"'
</IfModule>

bbolte · March 18, 2009, 6:10pm

I have this partially working and can’t figure out why. Here’s the scoop. On server 1 I have a page with an iframe calling server 2. If I put [B]https://server2.com/[/B] (which grabs a page called index.html) in the iframe url, everything is cool. If I start going into folders, such as [B]https://server2.com/some/folder/somepage.php[/B], then it no longer works. Why would that be?

And here’s the crazy part, this is only affecting IE. Everything works except the second scenario and IE!

wondering if it’s my privacy policy?

bbolte · March 18, 2009, 9:16pm

OK, I think the reason why is I have a redirect on the index page in the sub directory. Doing a curl command on it shows it as a 302 Moved Temporarily status, which is probably what is flagging IE. Anyone have any ideas on what type of status code I should redirect with?

Dan_Grossman · March 18, 2009, 11:23pm

301 Moved Permanently?

bbolte · March 19, 2009, 1:34am

Yeah, maybe. I tried 303 but that one didn’t work. I’m going to try some others tomorrow. Gave up for the day.

system · October 8, 2014, 12:50am