- From: Giorgio Maone <g.maone@informaction.com>
- Date: Wed, 11 Jun 2014 01:04:59 +0200
- To: public-webappsec@w3.org
- Message-ID: <53978F1B.8080902@informaction.com>
On 10/06/2014 23:44, Oda, Terri wrote: > On Tue, Jun 10, 2014 at 12:25 PM, Tanvi Vyas <tanvi@mozilla.com > <mailto:tanvi@mozilla.com>> wrote: > > On 6/9/14 9:50 PM, Mike West wrote: > > > I'd prefer to maintain the ability to tighten a page's policy, > as I think there are totally valid use cases for such a thing, > but so far I've been the only one in favor of that, and the > spec reflects my understanding of the group's consensus. > > > I don't see any problem with using a meta policy to tighten (and > not loosen) a header policy. Perhaps we can revisit this discussion. > > > This also sounds reasonable to me, and seems like it would be pretty > useful in the case of many types of setup where the host might want to > provide a base policy but allow users to add additional user-defined > security policies (e.g. wordpress, github). I'm actually surprised > you were the only one in favour given that this seems particularly > useful in a lot of the same situations where the meta tag would be > useful in the first place. > > Terri > +1
Received on Tuesday, 10 June 2014 23:05:28 UTC