- From: Neil Matatall <neilm@twitter.com>
- Date: Tue, 3 Dec 2013 22:26:38 -0800
- To: Brad Hill <hillbrad@gmail.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
This seems to add unnecessary complexity, but maybe I don't understand the use case. On Tue, Dec 3, 2013 at 10:15 PM, Brad Hill <hillbrad@gmail.com> wrote: > As I was thinking about the frame-src, worker-src stuff, I remembered: > > A last year's TPAC in Lyon, we had Jonas Sicking visit us, and came to > rough consensus at his suggestion that, if font-src wasn't explicitly > specified, it should take the value of style-src, if specified, before it > takes the value of default-src. > > I notice this isn't in the current 1.1 draft. Did this just get forgotten > along the way because we forgot to track an action for it, or was it > deliberately rejected? (it would've been the first and only > multiply-cascaded directive) > > Would anybody like to jog my memory, or give their $0.02 on the matter > today? > > -Brad
Received on Wednesday, 4 December 2013 06:27:47 UTC