W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2013

Re: [webappsec] Cascading style-src onto font-src in CSP

From: Neil Matatall <neilm@twitter.com>
Date: Tue, 3 Dec 2013 22:26:38 -0800
Message-ID: <CAOFLtbjBTSbu3QKN4QVGDeSr4esLrvhih-o2wmaZNiRcosEXVQ@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
This seems to add unnecessary complexity, but maybe I don't understand
the use case.

On Tue, Dec 3, 2013 at 10:15 PM, Brad Hill <hillbrad@gmail.com> wrote:
> As I was thinking about the frame-src, worker-src stuff, I remembered:
>
>  A last year's TPAC in Lyon, we had Jonas Sicking visit us, and came to
> rough consensus at his suggestion that, if font-src wasn't explicitly
> specified, it should take the value of style-src, if specified, before it
> takes the value of default-src.
>
>  I notice this isn't in the current 1.1 draft.  Did this just get forgotten
> along the way because we forgot to track an action for it, or was it
> deliberately rejected?  (it would've been the first and only
> multiply-cascaded directive)
>
>   Would anybody like to jog my memory, or give their $0.02 on the matter
> today?
>
> -Brad
Received on Wednesday, 4 December 2013 06:27:47 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC