Re: [webappsec] Cascading style-src onto font-src in CSP

This seems to add unnecessary complexity, but maybe I don't understand
the use case.

On Tue, Dec 3, 2013 at 10:15 PM, Brad Hill <> wrote:
> As I was thinking about the frame-src, worker-src stuff, I remembered:
>  A last year's TPAC in Lyon, we had Jonas Sicking visit us, and came to
> rough consensus at his suggestion that, if font-src wasn't explicitly
> specified, it should take the value of style-src, if specified, before it
> takes the value of default-src.
>  I notice this isn't in the current 1.1 draft.  Did this just get forgotten
> along the way because we forgot to track an action for it, or was it
> deliberately rejected?  (it would've been the first and only
> multiply-cascaded directive)
>   Would anybody like to jog my memory, or give their $0.02 on the matter
> today?
> -Brad

Received on Wednesday, 4 December 2013 06:27:47 UTC