The short answer first :)
you can add the header simply as
response.setHeader("P3P", "CP=\"CAO IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
but as you need the header on all the resources, better go for the filter
public class P3PFilter implements Filter {
public void destroy() {
}
public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain) throws IOException, ServletException {
HttpServletResponse resp = (HttpServletResponse) res;
resp.addHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
filterChain.doFilter(req, resp);
}
public void init(FilterConfig arg0) throws ServletException {
}
}
the long answer
I was suffering from the same issue a while back. Probably just like you, I've did my homework and developed a fair understanding of what P3P policy is and how it is meant to be used. What I was referencing at a time are
Official links
http://www.w3.org/P3P/
http://p3ptoolbox.com/guide/
Notable blogs
http://www.marco.org/2007/04/27/p3p-sucks-how-to-get-frame-cookies-unblocked-in-ie6
http://www.techrepublic.com/blog/software-engineer/craft-a-p3p-policy-to-make-ie-behave/
Notable SO questions
Cookie blocked/not saved in IFRAME in Internet Explorer
P3P Policy not working to allow 3rd party cookies in IE
despite all this I was still failing to make it work properly. What I was failing to realize, and what I eventually learned with the help of this amazing book is that, quote
in order to set third-party cookies for Internet Explorer users (with
default security settings), you need to return a special P3P HTTP
header with your resources that declares how your service intends to
employ user data. This header needs to be returned with ALL HTTP
responses for your resources, not just those that set cookies. This
means static resources, AJAX endpoints, iframes—everything.
I suspect that this could be your issue as well, the P3P policy I use is almost exactly the same as yours, so you're not getting denied over an invalid policy.
I set my header without a URL to a p3p policy, as said in a techrepublic blog
IE does not compare the compact policy to the full-format policy, and
the full-format policy is not needed
and this has proven true in my tests. This would mean that you can add the header simply as
response.setHeader("P3P", "CP=\"CAO IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
However, as you need it in all the response better write a filter something like
public class P3PFilter implements Filter {
public void destroy() {
}
public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain) throws IOException, ServletException {
HttpServletResponse resp = (HttpServletResponse) res;
resp.addHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
filterChain.doFilter(req, resp);
}
public void init(FilterConfig arg0) throws ServletException {
}
}
and applied a filter to all requests.
<filter>
<filter-name>P3P Filter</filter-name>
<filter-class>your.package.P3PFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>P3P Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
