This site uses cookies for analytics. By continuing to browse this site, you agree to this use.
A JS Foundation Project

Disallow `P3P` headers

Disallow P3P headers (no-p3p)

no-p3p disallows the use of P3P in any form (headers, rel attribute, and well-known location).

Why is this important?

P3P (Platform for Privacy Preferences Project) is a deprecated technology meant to allow browsers to programmatically check privacy policies.

Microsoft Internet Explorer was the most popular browser that implemented P3P. With Windows 10, P3P's support was removed entirely from Internet Explorer 11 and has minimal servicing for other versions of Windows. Other popular browsers never implemented or removed this feature before Microsoft did.

On top of the lack of support, if the header is sent and it’s not kept in sync with normal human-readable privacy policies, it may be a cause of legal confusion, which might present legal risks. Please check with a local lawyer to see if that’s the case in your country.

Additionally, studies have detected that about 33% of sites using P3P don’t have a valid configuration. In some cases, the value was used to circumvent Internet Explorer cookie blocking (and thus rendering P3P ineffective). Others had typos and errors in the tokens.

Because of all the above reasons it’s recommended to not use P3P anymore.

One thing to keep in mind if you need to support old versions of Internet Explorer is that:

By default, Internet Explorer will reject cookies coming from 3rd-party contexts. A 3rd-party context is one where the domain on the content is different than the domain of the page that pulls in that content. Possible third-party contexts include pretty much any element that accepts a URL: <script>, <img>, <link>, <frame>, <iframe>, <audio>, <video>, et cetera. It also includes cross-domain XMLHttpRequest which attempt to send cookies when the withCredentials flag is set.

A Quick Look at P3P (Eric Lawrence)

What does the hint check?

There are 3 ways in which a site can define the P3P policy:

This hint checks that a site doesn’t use any of these.

Examples that trigger the hint

Note: the following examples are case-insensitive.

The P3P header is sent:

HTTP/... 200 OK

...
p3p: CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
...

The P3P header is sent with non-P3P contents:

HTTP/... 200 OK

...
p3p: <Random or empty value>
...

There is a link tag with rel="P3Pv1":

...
<link rel="P3Pv1" href="/p3p.xml">
...

The server responds to /w3c/p3p.xml with any content:

HTTP/... 200 OK

...

Examples that pass the hint

The P3P header is not sent:

HTTP/... 200 OK

Content-Type: text/html; charset=utf-8
...

There isn’t any <link rel="P3Pv1"> in the HTML.

The server doesn’t have content in /w3c/p3p.xml:

HTTP/... 404 OK

...

Further Reading