Re: Header Policy Vs. Meta tag policy

Hooray! The silent majority appears! I'll happily change the spec if other
folks are on board. :) was
the last conversation about this; there were a few threads earlier last
year as well that I'm having trouble finding. CCing Dan, as I think he had
opinions about this.


Mike West <>
Google+:, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Wed, Jun 11, 2014 at 1:04 AM, Giorgio Maone <>

>  On 10/06/2014 23:44, Oda, Terri wrote:
>  On Tue, Jun 10, 2014 at 12:25 PM, Tanvi Vyas <> wrote:
>> On 6/9/14 9:50 PM, Mike West wrote:
>>> I'd prefer to maintain the ability to tighten a page's policy, as I
>>> think there are totally valid use cases for such a thing, but so far I've
>>> been the only one in favor of that, and the spec reflects my understanding
>>> of the group's consensus.
>>  I don't see any problem with using a meta policy to tighten (and not
>> loosen) a header policy.  Perhaps we can revisit this discussion.
>  This also sounds reasonable to me, and seems like it would be pretty
> useful in the case of many types of setup where the host might want to
> provide a base policy but allow users to add additional user-defined
> security policies  (e.g. wordpress, github).  I'm actually surprised you
> were the only one in favour given that this seems particularly useful in a
> lot of the same situations where the meta tag would be useful in the first
> place.
>   Terri
>   +1

Received on Wednesday, 11 June 2014 03:57:27 UTC