“Medium Security” in IE8 states that third-party cookies that save information that can be used to contact you without your explicit consent are blocked.
What is the most broad P3P header that means we do not collect such information, and will not be blocked by IE?
I want to skip the nasty details of the P3P policy, and just set the header that implies the least legal obligations. Its semantic should be:
we collect everything except information that can be used to contact you.
… without specifying anything else.
Note that most P3P headers are inclusive – if they’re not present, you’re not allowed to use the information for that purpose – so the P3P header I’m looking for should contain a lot of flags.
From my tests, any of these P3P attributes will prevent IE8 from saving a 3rd party cookie:
CON
Information may be used to contact the individual, through a communications channel other than voice telephone, for the promotion of a product or service. This includes notifying visitors about updates to the Web site.
TEL
Information may be used to contact the individual via a voice telephone call for promotion of a product or service.
PHY
Information that allows an individual to be contacted or located in the physical world — such as telephone number or address.
ONL
Information that allows an individual to be contacted or located on the Internet — such as email. Often, this information is independent of the specific computer used to access the network. (See the category COM)
FIN
Information about an individual’s finances including account status and activity information such as account balance, payment or overdraft history, and information about an individual’s purchase or use of financial instruments including credit or debit card information.
So don’t include them if you want IE8 not to block you. I found the following flags to be the most broad, legalese wise, while still functioning well with IE: