How to have apache only set P3P header on responses?

Question

So we have a foreign site that's pulling in a cookie and login widget from our domestic site. Since the foreign site is .de, but our domestic site is .com it treats our login widget request as a third party cookie. To get around this we're using mod_header in apache 2.2 which works, but it's being set on every request. We'd like to find a way for it to only be set on responses that are setting cookies. Below is what we have currently. Is there any way to narrow it down?

Header set P3P 'CP="This is not a P3P policy! See our privacy statement here http://www.example.com/example/cms/lang/en/site/products/home/privacy-statement"

_"Since the foreign site is .de, but our domestic site is .com it treats our login widget request as a third party cookie."_ - no, it's a third-party cookie [because it's not the embedding site that sets the cookie](http://en.wikipedia.org/wiki/HTTP_cookie#Third-party_cookie). TLD's don't matter here. — CodeCaster, Dec 18 '12 at 10:42

score 0 · Answer 1 · edited May 23 '17 at 12:12

0

I think you actually need to set up this header on every resource on your external iframe look here . This resolved the problem I had with P3P also

edited May 23 '17 at 12:12

Community

1
1

answered Dec 18 '12 at 10:39

Ohad Sadan

877
6
15

How to have apache only set P3P header on responses?

1 Answers1