-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deny all like alias for the Permission-Policy: Header #483
Comments
Started a discussion on OSHP here: oshp/oshp-tracking#10 |
See also #481 |
The lack of this feature seems like a huge oversight to me. It seems to me that the Still, an That way you can disable all permissions by default (maximum security), then selectively override various permissions you know you will utilise. The alternative is to have an extremely long list of rules in each HTTP header which:
You can argue that something like |
This has been a long-standng request, from a lot of developers who make a lot of good points about the ever-increasing number of policy-controlled features, and the terrible ergonomics of turning them all off individually. @marcoscaceres and I met today to discuss this, and have a concrete proposal to do exactly this - disable all (safe-to-disable) features by default, and allow individual ones to be overridden. I'm going to close this (and other related issues), but only in order to move the discussion to a central place at #189 (comment) |
When using the http header to harden a plain web page it would be useful to specify all (including future) features in a way that they default to „secure off“, is this planned?
this will allow only geolocation access all other features cannot be turned on (this would require a definition which features this includes, a feature like „javascript“ and „html Rendering“ should of course not be included in the future (but might be in an initial definition of „all“)
maybe use a different keyword than
all
orother
, likeenhancedpage=()
meaning „this page wants to opt out from any enhanced access“?if you don’t do that it will have two results, first of all new features are not automatically denied by existing policies and secondly projects like the OSHP project recommend long and verbose „best practice“ headers like the following which take up a lot of bandwidth:
The text was updated successfully, but these errors were encountered: