On Tue, Jun 10, 2014 at 12:25 PM, Tanvi Vyas <tanvi@mozilla.com> wrote: > On 6/9/14 9:50 PM, Mike West wrote: > >> >> I'd prefer to maintain the ability to tighten a page's policy, as I think >> there are totally valid use cases for such a thing, but so far I've been >> the only one in favor of that, and the spec reflects my understanding of >> the group's consensus. >> > > I don't see any problem with using a meta policy to tighten (and not > loosen) a header policy. Perhaps we can revisit this discussion. > This also sounds reasonable to me, and seems like it would be pretty useful in the case of many types of setup where the host might want to provide a base policy but allow users to add additional user-defined security policies (e.g. wordpress, github). I'm actually surprised you were the only one in favour given that this seems particularly useful in a lot of the same situations where the meta tag would be useful in the first place. Terri
Received on Tuesday, 10 June 2014 21:45:16 UTC