Setting P3P header before Set-Cookie

Based on my testing (with IE, where P3P is really an issue) the order
of the headers doesn't matter. If you want to hack in and play with
it yourself, you can crack open the mongrel source and add your p3p
header at the top. The code is in the cgi.rb file in the "out"
method. That's what I did, and didn't notice any behavioral

I fought with this P3P stuff for a long time. Ultimately, what I
found is that my compact privacy policy was being misread by IE (not
that it would tell you that). For whatever reason, I had to make sure
the "CP" clause came before the "policyref" clause, even though I saw
examples to the contrary. So, ultimately I have this in a
before_filter in application.rb:

headers['P3P'] = %|CP="CAO DSP CURa ADMa DEVa OUR NOR DEM STA"

And it seems to work.

Hope that helps.