Re: Header Policy Vs. Meta tag policy

On Tue, Jun 10, 2014 at 12:25 PM, Tanvi Vyas <> wrote:

> On 6/9/14 9:50 PM, Mike West wrote:
>> I'd prefer to maintain the ability to tighten a page's policy, as I think
>> there are totally valid use cases for such a thing, but so far I've been
>> the only one in favor of that, and the spec reflects my understanding of
>> the group's consensus.
> I don't see any problem with using a meta policy to tighten (and not
> loosen) a header policy.  Perhaps we can revisit this discussion.

This also sounds reasonable to me, and seems like it would be pretty useful
in the case of many types of setup where the host might want to provide a
base policy but allow users to add additional user-defined security
policies  (e.g. wordpress, github).  I'm actually surprised you were the
only one in favour given that this seems particularly useful in a lot of
the same situations where the meta tag would be useful in the first place.


Received on Tuesday, 10 June 2014 21:45:16 UTC