Based on my testing (with IE, where P3P is really an issue) the order of the headers doesn't matter. If you want to hack in and play with it yourself, you can crack open the mongrel source and add your p3p header at the top. The code is in the cgi.rb file in the "out" method. That's what I did, and didn't notice any behavioral differences.
I fought with this P3P stuff for a long time. Ultimately, what I found is that my compact privacy policy was being misread by IE (not that it would tell you that). For whatever reason, I had to make sure the "CP" clause came before the "policyref" clause, even though I saw examples to the contrary. So, ultimately I have this in a before_filter in application.rb:
headers['P3P'] = %|CP="CAO DSP CURa ADMa DEVa OUR NOR DEM STA" policyref="#{PUBLIC_BASE_URI}/w3c/p3p.xml"|
And it seems to work.
Hope that helps.
Tom
