Mod_headers and cgi issue relating to IE7/P3P/cookies: discussion and questions

Mod_headers and cgi issue relating to IE7/P3P/cookies: discussion and questions

am 25.05.2007 19:03:36 von elwyatt

I am using an admittedly ancient Apache 1.3.6 setup for an ecommerce
site. It consists of a lot of static pages, images, and shopping cart
cgi with SSL. Nothing fancy. No PHP or MySQL. It has worked for years.

Recently I attempted to resolve the IE7 browser cookie problem by
implementing P3P Privacy policies on the site. I partially succeeded,
but the part that failed raised a few questions (see bottom of page.)

For those unfamiliar with the problem, here is a summary:
Internet Explorer 7 browser (IE7) changed the way cookies are handled
by default. When the Privacy setting is set to High (the default),
cookies may not be set or read unless the page using the cookie meets
all P3P Privacy requirements. If it doesn't, a nasty privacy icon is
displayed in the browser, and the cookie fails to work. If the cookie
is needed to store customer data, like the contents of a shopping
cart, that site functionality will fail. One of the P3P Privacy
requirements imposed, is that the response headers for the page
include a specific P3P Compact Policy header which summarizes the XML
Privacy Policy on the site and points to it. The prescribed method to
generate this header is via Apache module mod_headers, which generates
the headers at the directive of a header statement placed within the
Apache configuration files or .htaccess.

On my setup, mod_headers is compiled-in, as revealed by http -l.
When I placed the appropriate header directive within .htaccess at
web root level, the correct response header containing the P3P
Compact Policy shows up, for all static pages on my site. So far, so
good.

However, for dynamic pages generated by the shopping cart cgi, the
response headers are quite different and do not contain the P3P
Compact Policy header. Since these are the pages that use the cookies,
the IE7 browser fails to store or read the shopping cart contents,
the nasty privacy icon is revealed in the browser, and the customer
can buy nothing.

The shopping cart vendor has quickly produced a patch to address this
issue by allowing admins to add the required response header to the
cgi output directly. This was nice, but can't fully address potential
requirements to have slightly different policies for different areas
of the site.

...and so, the questions:

Why does mod_headers not seem to generate the directed P3P Compact
Policy header for the pages generated via the shopping cart cgi?
Shouldn't mod_headers be parsed just the same for dynamic pages as for
static pages, and produce the same result?(, unless Non Parsed Headers
mode it used? - It isn't in this case.) Can anyone think of any ideas
to pursue to chase this problem? Has anybody successfully resolved P3P
issues on their site with IE7 on a similar system, and what was their
experience?

Please feel free to correct any errors of fact or assumptions on my
part.

Thanks for any insight you may provide.