Hacker News new | ask | show | jobs
by jeroenhd 6 days ago
It states something about "your organisation's security requirements", do they document what requirements cause this rejection page? Some kind if changed default perhaps?
2 comments
insanitybit 6 days ago
No, this is easily the biggest flaw in CAA - there is no way to discover which policy broke your access. I have reported this to Google multiple times, even sent this directly to a Google SecEng (a well known one) to route internally. The issue persists and makes configuring CAA extremely painful and error prone.
link
kmeisthax 6 days ago
I am convinced there's someone who thinks debuggable security policies are a security risk and deliberately designs security APIs to be as inscrutable as possible.
link
insanitybit 5 days ago
It's possible but I suspect it's just Google being a rather incompetent organization.
link
tyingq 6 days ago
Maybe not, but I have the feeling Google doesn't like that FF continues to support manifest v2.
link
lokar 6 days ago
I think it's just that some of the device policy restrictions the Org admin can choose to enable don't work in FF. So if they require them, no FF.
link