P3P Policy Header in .htaccess file

I’m trying to set a P3P Policy header in the .htaccess file and not having much success. Here’s the scenario: 2 web servers, 2 domains. The main site is at server 1, another set of code is at server 2. for some people, IE is blocking sessions/cookies, hence attempting this. And before you ask, no the sites can’t be run on the same server. Here’s what I put in the .htaccess:

<IfModule mod_headers.c>
Header set P3P "policyref=\\"/p3p/p3p.xml\\", CP=\\"NOI DSP COR NID CUR ADM DEV OUR BUS\\""

I’ve tried different urls as above including the full URL. I checked with the server admin and mod_header is available and enabled. When checking site 1 with IE, I’m still getting the Evil Eye icon in the status bar, regardless what I have in the header set. Can anyone give me pointers?

One question, does the this need to be on the server 1 or 2?

Wouldn’t you want it on both servers?

Have you confirmed the header you want is being sent? Telnet in to the server on port 80, send an HTTP request, and look at the headers you’re getting back.

got me? I haven’t had a chance to get back to this, I’ll have to give the telnet thing a try, thanks for the tip.

ok, I’m doing this directly on the page at server 2:

Header('P3P: href="/olp/jlc2/w3c/p3p.xml" CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"');

loading the page directly with IE and watching Fiddler to see what headers are coming back and I don’t see it. Fiddler actually tells me “No P3P Header is present.” This works on my local dev box though. hmmmm. Why wouldn’t header work? I don’t think I’m outputting anything before this somewhere. Server 2 is running SSL for the site, that wouldn’t be blocking it would it?

aaah, SSL is blocking it! when I go straight to the page without the SSL, I see the p3p header. weird!

More on the continuing drama…

The P3P validator sees it fine, curl sees it fine. IE and Fiddler are still balking at it. :rolleyes:

oh, and Firefox sees it fine also…

thought I would add, here’s what my .htaccess file looks like

<IfModule mod_headers.c>
Header set P3P: 'cp=ALL DSP COR CURa ADMa DEVa CONa SAMa BUS"
Header append P3P: 'policyref="/w3c/p3p.xml"'

I have this partially working and can’t figure out why. Here’s the scoop. On server 1 I have a page with an iframe calling server 2. If I put [B]https://server2.com/[/B] (which grabs a page called index.html) in the iframe url, everything is cool. If I start going into folders, such as [B]https://server2.com/some/folder/somepage.php[/B], then it no longer works. Why would that be?

And here’s the crazy part, this is only affecting IE. Everything works except the second scenario and IE!

wondering if it’s my privacy policy?

OK, I think the reason why is I have a redirect on the index page in the sub directory. Doing a curl command on it shows it as a 302 Moved Temporarily status, which is probably what is flagging IE. Anyone have any ideas on what type of status code I should redirect with?

301 Moved Permanently?

Yeah, maybe. I tried 303 but that one didn’t work. I’m going to try some others tomorrow. Gave up for the day.