W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: Header Policy Vs. Meta tag policy

From: Giorgio Maone <g.maone@informaction.com>
Date: Wed, 11 Jun 2014 01:04:59 +0200
Message-ID: <53978F1B.8080902@informaction.com>
To: public-webappsec@w3.org
On 10/06/2014 23:44, Oda, Terri wrote:
> On Tue, Jun 10, 2014 at 12:25 PM, Tanvi Vyas <tanvi@mozilla.com
> <mailto:tanvi@mozilla.com>> wrote:
>
>     On 6/9/14 9:50 PM, Mike West wrote:
>
>
>         I'd prefer to maintain the ability to tighten a page's policy,
>         as I think there are totally valid use cases for such a thing,
>         but so far I've been the only one in favor of that, and the
>         spec reflects my understanding of the group's consensus.
>
>
>     I don't see any problem with using a meta policy to tighten (and
>     not loosen) a header policy.  Perhaps we can revisit this discussion.
>
>
> This also sounds reasonable to me, and seems like it would be pretty
> useful in the case of many types of setup where the host might want to
> provide a base policy but allow users to add additional user-defined
> security policies  (e.g. wordpress, github).  I'm actually surprised
> you were the only one in favour given that this seems particularly
> useful in a lot of the same situations where the meta tag would be
> useful in the first place.
>
>  Terri
>
+1
Received on Tuesday, 10 June 2014 23:05:28 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC