Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I don't think the meta version of Permissions-Policy ever got implemented. "http-equiv" isn't a magic "here's a HTTP header I forgot to mention" pixie dust.

Better stick to the actual recommendation of adding the header in the server configuration.



Whilst http-equiv is said to be an enumerated value, so far as I know in Chrome, it actually is "magic HTTP Header pixie dust": [0]

And whilst in Firefox parsing of the element is more spread out, they accept a very wide number of headers that aren't documented, and you'll find examples on MDN for any number of headers using http-equiv which aren't specified in the standard or on their docs for http-equiv itself [2] (For example, X-DNS-Prefetch-Control [1]).

[0] https://source.chromium.org/chromium/chromium/src/+/master:o...

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-...

[2] https://developer.mozilla.org/en-US/docs/Web/HTML/Element/me...


In my case I don’t have access to the server configuration. I’m running a blog with Ghost Pro, is the above a reasonable workaround?




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: