I am adding in a P3P header for privacy into a site, and was wondering if the header should be attached to HTML pages only, or to all responses (such as images, css and script)?
I currently have the header attached to all responses, but wanted to confirm if this is correct?
The P3P header should be passed back on pages that write private information, such as cookies. The header can be passed back on static resources, but I doubt IE does anything with it. If you make an application-wide P3P header injection, then things should still work fine.
In my case for a Grails application in an IFRAME, I had to inject the headers early in the request cycle when the JSESSIONID was first assigned so that IE would store the cookie at the proper time.
