Re: Header Policy Vs. Meta tag policy

Hooray! The silent majority appears! I'll happily change the spec if other
folks are on board. :)

http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0199.html was
the last conversation about this; there were a few threads earlier last
year as well that I'm having trouble finding. CCing Dan, as I think he had
opinions about this.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Wed, Jun 11, 2014 at 1:04 AM, Giorgio Maone <g.maone@informaction.com>
wrote:

>  On 10/06/2014 23:44, Oda, Terri wrote:
>
>  On Tue, Jun 10, 2014 at 12:25 PM, Tanvi Vyas <tanvi@mozilla.com> wrote:
>
>> On 6/9/14 9:50 PM, Mike West wrote:
>>
>>>
>>> I'd prefer to maintain the ability to tighten a page's policy, as I
>>> think there are totally valid use cases for such a thing, but so far I've
>>> been the only one in favor of that, and the spec reflects my understanding
>>> of the group's consensus.
>>>
>>
>>  I don't see any problem with using a meta policy to tighten (and not
>> loosen) a header policy.  Perhaps we can revisit this discussion.
>>
>
>  This also sounds reasonable to me, and seems like it would be pretty
> useful in the case of many types of setup where the host might want to
> provide a base policy but allow users to add additional user-defined
> security policies  (e.g. wordpress, github).  I'm actually surprised you
> were the only one in favour given that this seems particularly useful in a
> lot of the same situations where the meta tag would be useful in the first
> place.
>
>   Terri
>
>   +1
>