Replies: 5 comments
-
Hi, I totally share your remark 😃 I proposed such configuration to deny all by default but it's true that it cause the value to be long. I will review my proposal by deep diving into the header spec (+ tests on browsers) to address the concern. Thanks again for you very useful remarks and the issue opened on W3C repository with cross reference to OSHP 👍 |
Beta Was this translation helpful? Give feedback.
-
⚒ Issue #11 created to track the work on this topic. |
Beta Was this translation helpful? Give feedback.
-
Once the issue w3c/webappsec-permissions-policy#483 will have a feedback from the project team, then, I will adapt the policy to achieve the goal of off by default as @ecki mentioned. Currently, I have read the spec another time and I can do nothing more than explicitly mention all directives to empty allow list with the risk of forgot new directives 👎 |
Beta Was this translation helpful? Give feedback.
-
Issue still open 😞 |
Beta Was this translation helpful? Give feedback.
-
I close the topic because the issue never get reply 😞 |
Beta Was this translation helpful? Give feedback.
-
The best practice shows a quite long feature-policy header. I think that has 3 problems:
a) it’s long
B) it might become incomplete
C) i have the feeling, it does somewhat not really fit into the intended use (non of the W3C examples go so far)
but maybe I am wrong about point c, for that reason I started an issue in the W3C reference project, maybe you would like to visit:
w3c/webappsec-permissions-policy#483
Beta Was this translation helpful? Give feedback.
All reactions