- From: Brad Hill <hillbrad@gmail.com>
- Date: Tue, 3 Dec 2013 22:41:29 -0800
- To: Neil Matatall <neilm@twitter.com>, Jonas Sicking <sicking@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAEeYn8i=JNesJmxU8iOpYq-H5DYMhWvjPc1vssErypF4dKwvSA@mail.gmail.com>
Argh.. looking at the old minutes there isn't much, and I dimly recall Jonas stepped in to chat during a break when we weren't minuting. I think the basic idea was that most folks consider fonts to be part of styling a page, that they are likely t be loaded from imported CSS rather than directly specified in the resource, and that the attack vectors we're defending here are related, so it would be simpler and more intuitive for most developers to have it work this way, and give font-src as a more granular way for the paranoid to add additional restrictions if needed. But I could be remembering incorrectly after a year. I've cc'd him directly, perhaps he can correct me. -Brad On Tue, Dec 3, 2013 at 10:26 PM, Neil Matatall <neilm@twitter.com> wrote: > This seems to add unnecessary complexity, but maybe I don't understand > the use case. > > On Tue, Dec 3, 2013 at 10:15 PM, Brad Hill <hillbrad@gmail.com> wrote: > > As I was thinking about the frame-src, worker-src stuff, I remembered: > > > > A last year's TPAC in Lyon, we had Jonas Sicking visit us, and came to > > rough consensus at his suggestion that, if font-src wasn't explicitly > > specified, it should take the value of style-src, if specified, before it > > takes the value of default-src. > > > > I notice this isn't in the current 1.1 draft. Did this just get > forgotten > > along the way because we forgot to track an action for it, or was it > > deliberately rejected? (it would've been the first and only > > multiply-cascaded directive) > > > > Would anybody like to jog my memory, or give their $0.02 on the matter > > today? > > > > -Brad >
Received on Wednesday, 4 December 2013 06:41:55 UTC