W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2013

[webappsec] Cascading style-src onto font-src in CSP

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 3 Dec 2013 22:15:10 -0800
Message-ID: <CAEeYn8ikcZ2KgZ84FT6AJ_RAqZpyUdKucpEqZ+JQrykMYB0h1A@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
As I was thinking about the frame-src, worker-src stuff, I remembered:

 A last year's TPAC in Lyon, we had Jonas Sicking visit us, and came to
rough consensus at his suggestion that, if font-src wasn't explicitly
specified, it should take the value of style-src, if specified, before it
takes the value of default-src.

 I notice this isn't in the current 1.1 draft.  Did this just get forgotten
along the way because we forgot to track an action for it, or was it
deliberately rejected?  (it would've been the first and only
multiply-cascaded directive)

  Would anybody like to jog my memory, or give their $0.02 on the matter

Received on Wednesday, 4 December 2013 06:15:37 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:35 UTC