Re: The P3P specification says that browsers should ignore unknown tokens
"Nothing wrong with this. If you ignore the token you should then fall back to the browser settings."
I agree absolutely - i'm not holding up Google as a paragon of virtue, but this is the main problem IMO, and the fact that it doesn't default to the browser settings was used, against other things, to avoid an issue with cookie and frames in IE (i.e. it might be viewed as a deliberately implemented security flaw to patch up an old browser bug). The work around is widely used, according to a 2010 study of P3P CP tokens
- a common form of which was suggested by MIcrosoft themselves, originally under KB article Q323752. An excerpt from the paper also gives an overview
"We discovered that Microsoft's support website recommends the use of invalid CPs as a work-around for a problem in IE. Speci cally, a FRAMESET or parent window that references another site inside a FRAME considers the referenced site as a third-party, even if it is rst-party content located on the same server"
Lots of companies still use it, including the privacy-loving Facebook, and there is a highly readable article on this (rather old) news here
I recommend reading that article as well as the CMU study - it might put some of the nonsense being peddled on the internet in perspective. Were Google using the loop-hole so they could set their user info cookies, which could be used by others for other purposes - well yes, they say as much. Were they not as wide-eyed innocent as they make out, almost certainly. Was Microsoft really un-aware of this, doubtful, but if so that strikes me as, at best, borderline incompetent - everybody else seems to know and that mechanism was also used by the microsoft.com and windows.com domains. Were Microsoft using the Safari press as a convenient spring board to announce this "news" - almost certainly.