Re: Header Policy Vs. Meta tag policy

On Wed, Jun 11, 2014 at 8:55 PM, Devdatta Akhawe <>

> I agree with you. I think we should definitely encourage the ability to
> lock down further via multiple policies.


> I glanced over the directive list and I wonder if whitelisting does
> suffice: how about we only allow all *-src and form-action in the meta
> element? It does seem conceptually clearer than the blacklisting approach,
> where we have to think about threats every time a new directive is added.

What about 'plugin-types'? What about 'referrer'? What about
'frame-ancestors'? I can see value in all three.

Basically, I think we have to think about the threats for all of the
directives anyway (and there are only 18 of them). It's clearly bad to
screw around with XSS protections (
It's clearly bad to turn on reporting. Sandboxing is fairly ineffective
once the page has loaded.

It seems like there are reasonable arguments for allowing the rest of the
directives. *shrug* We could certainly just whitelist (all of) those, and
then do the same exercise again when we add new directives in 1.2.


Received on Thursday, 12 June 2014 07:20:55 UTC