Re: [webappsec] Cascading style-src onto font-src in CSP from Jonas Sicking on 2013-12-04 (public-webappsec@w3.org from December 2013)

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 3 Dec 2013 23:02:17 -0800
To: Brad Hill <hillbrad@gmail.com>
Cc: WebAppSec WG <public-webappsec@w3.org>, sicking <sicking@mozilla.com>, Neil Matatall <neilm@twitter.com>
Message-ID: <CA+c2ei9MygUtVgrBe7BZUyBQQZFWbthMmZkPiGDZn2kmRc8B-Q@mail.gmail.com>

Yup, that was it. Though explicitly specifying font-src would just let
paranoids add additional restrictions, but would also let you add in font
foundaries as additional allowed sources of fonts.

I.e. the same way that img-src can both relax and tighten default-src.

/ Jonas
On Dec 3, 2013 10:41 PM, "Brad Hill" <hillbrad@gmail.com> wrote:

> Argh.. looking at the old minutes there isn't much, and I dimly recall
> Jonas stepped in to chat during a break when we weren't minuting.
>
> I think the basic idea was that most folks consider fonts to be part of
> styling a page, that they are likely t be loaded from imported CSS rather
> than directly specified in the resource, and that the attack vectors we're
> defending here are related, so it would be simpler and more intuitive for
> most developers to have it work this way, and give font-src as a more
> granular way for the paranoid to add additional restrictions if needed.
>
> But I could be remembering incorrectly after a year.  I've cc'd him
> directly, perhaps he can correct me.
>
> -Brad
>
>
> On Tue, Dec 3, 2013 at 10:26 PM, Neil Matatall <neilm@twitter.com> wrote:
>
>> This seems to add unnecessary complexity, but maybe I don't understand
>> the use case.
>>
>> On Tue, Dec 3, 2013 at 10:15 PM, Brad Hill <hillbrad@gmail.com> wrote:
>> > As I was thinking about the frame-src, worker-src stuff, I remembered:
>> >
>> >  A last year's TPAC in Lyon, we had Jonas Sicking visit us, and came to
>> > rough consensus at his suggestion that, if font-src wasn't explicitly
>> > specified, it should take the value of style-src, if specified, before
>> it
>> > takes the value of default-src.
>> >
>> >  I notice this isn't in the current 1.1 draft.  Did this just get
>> forgotten
>> > along the way because we forgot to track an action for it, or was it
>> > deliberately rejected?  (it would've been the first and only
>> > multiply-cascaded directive)
>> >
>> >   Would anybody like to jog my memory, or give their $0.02 on the matter
>> > today?
>> >
>> > -Brad
>>
>
>

Received on Wednesday, 4 December 2013 07:02:45 UTC