Remove P3P header from authentication flow

Closes #23348

services/src/main/java/org/keycloak/protocol/oidc/endpoints/IframeUtil.java

@@ -21,7 +21,6 @@ import org.keycloak.common.Version;
 import org.keycloak.headers.SecurityHeadersProvider;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.services.util.CacheControlUtil;
-import org.keycloak.services.util.P3PHelper;
 
 import jakarta.ws.rs.core.CacheControl;
 import jakarta.ws.rs.core.Response;
@@ -41,7 +40,6 @@ public class IframeUtil {
 
         InputStream resource = IframeUtil.class.getResourceAsStream(fileName);
         if (resource != null) {
-            P3PHelper.addP3PHeader(session);
             session.getProvider(SecurityHeadersProvider.class).options().allowAnyFrameAncestor();
             return Response.ok(resource).cacheControl(cacheControl).build();
         } else {

services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java

@@ -84,7 +84,6 @@ import org.keycloak.services.resources.LoginActionsService;
 import org.keycloak.services.resources.RealmsResource;
 import org.keycloak.services.util.AuthorizationContextUtil;
 import org.keycloak.services.util.CookieHelper;
-import org.keycloak.services.util.P3PHelper;
 import org.keycloak.sessions.AuthenticationSessionModel;
 import org.keycloak.sessions.CommonClientSessionModel;
 import org.keycloak.sessions.RootAuthenticationSessionModel;
@@ -800,7 +799,6 @@ public class AuthenticationManager {
         // Max age should be set to the max lifespan of the session as it's used to invalidate old-sessions on re-login
         int sessionCookieMaxAge = session.isRememberMe() && realm.getSsoSessionMaxLifespanRememberMe() > 0 ? realm.getSsoSessionMaxLifespanRememberMe() : realm.getSsoSessionMaxLifespan();
         CookieHelper.addCookie(KEYCLOAK_SESSION_COOKIE, sessionCookieValue, cookiePath, null, null, sessionCookieMaxAge, secureOnly, false, SameSiteAttributeValue.NONE, keycloakSession);
-        P3PHelper.addP3PHeader(keycloakSession);
     }
 
     public static void createRememberMeCookie(String username, UriInfo uriInfo, KeycloakSession session) {

services/src/main/java/org/keycloak/services/util/P3PHelper.java

@@ -1,35 +0,0 @@
-/*
- * Copyright 2016 Red Hat, Inc. and/or its affiliates
- * and other contributors as indicated by the @author tags.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.keycloak.services.util;
-
-import org.keycloak.http.HttpResponse;
-import org.keycloak.models.KeycloakSession;
-
-/**
- * IE requires P3P header to allow loading cookies from iframes when domain differs from main page (see KEYCLOAK-2828 for more details)
- *
- * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
- */
-public class P3PHelper {
-
-    public static void addP3PHeader(KeycloakSession session) {
-        HttpResponse response = session.getContext().getHttpResponse();
-        response.setHeader("P3P", "CP=\"This is not a P3P policy!\"");
-    }
-
-}

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/LoginStatusIframeEndpointTest.java

@@ -88,8 +88,6 @@ public class LoginStatusIframeEndpointTest extends AbstractKeycloakTest {
 
             response = client.execute(post);
 
-            assertEquals("CP=\"This is not a P3P policy!\"", response.getFirstHeader("P3P").getValue());
-
             Header setIdentityCookieHeader = null;
             Header setSessionCookieHeader = null;
             for (Header h : response.getAllHeaders()) {
@@ -123,7 +121,6 @@ public class LoginStatusIframeEndpointTest extends AbstractKeycloakTest {
             response = client.execute(get);
 
             assertEquals(200, response.getStatusLine().getStatusCode());
-            assertEquals("CP=\"This is not a P3P policy!\"", response.getFirstHeader("P3P").getValue());
             assertNull(response.getFirstHeader(BrowserSecurityHeaders.X_FRAME_OPTIONS.getHeaderName()));
             assertEquals("frame-src 'self'; object-src 'none';", response.getFirstHeader(BrowserSecurityHeaders.CONTENT_SECURITY_POLICY.getHeaderName()).getValue());
             assertEquals("none", response.getFirstHeader(BrowserSecurityHeaders.X_ROBOTS_TAG.getHeaderName()).getValue());