W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: Header Policy Vs. Meta tag policy

From: Oda, Terri <terri.oda@intel.com>
Date: Tue, 10 Jun 2014 14:44:47 -0700
Message-ID: <CACoC0R8G4TF5BEuoDRqsqib9NcpUsg1W03jf=RSSR76-yXXX4g@mail.gmail.com>
To: Tanvi Vyas <tanvi@mozilla.com>
Cc: Mike West <mkwst@google.com>, Kevin Hill <khill@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Jun 10, 2014 at 12:25 PM, Tanvi Vyas <tanvi@mozilla.com> wrote:

> On 6/9/14 9:50 PM, Mike West wrote:
>
>>
>> I'd prefer to maintain the ability to tighten a page's policy, as I think
>> there are totally valid use cases for such a thing, but so far I've been
>> the only one in favor of that, and the spec reflects my understanding of
>> the group's consensus.
>>
>
> I don't see any problem with using a meta policy to tighten (and not
> loosen) a header policy.  Perhaps we can revisit this discussion.
>

This also sounds reasonable to me, and seems like it would be pretty useful
in the case of many types of setup where the host might want to provide a
base policy but allow users to add additional user-defined security
policies  (e.g. wordpress, github).  I'm actually surprised you were the
only one in favour given that this seems particularly useful in a lot of
the same situations where the meta tag would be useful in the first place.

 Terri
Received on Tuesday, 10 June 2014 21:45:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC