Re: [webappsec] Cascading style-src onto font-src in CSP

Argh.. looking at the old minutes there isn't much, and I dimly recall
Jonas stepped in to chat during a break when we weren't minuting.

I think the basic idea was that most folks consider fonts to be part of
styling a page, that they are likely t be loaded from imported CSS rather
than directly specified in the resource, and that the attack vectors we're
defending here are related, so it would be simpler and more intuitive for
most developers to have it work this way, and give font-src as a more
granular way for the paranoid to add additional restrictions if needed.

But I could be remembering incorrectly after a year.  I've cc'd him
directly, perhaps he can correct me.

-Brad


On Tue, Dec 3, 2013 at 10:26 PM, Neil Matatall <neilm@twitter.com> wrote:

> This seems to add unnecessary complexity, but maybe I don't understand
> the use case.
>
> On Tue, Dec 3, 2013 at 10:15 PM, Brad Hill <hillbrad@gmail.com> wrote:
> > As I was thinking about the frame-src, worker-src stuff, I remembered:
> >
> >  A last year's TPAC in Lyon, we had Jonas Sicking visit us, and came to
> > rough consensus at his suggestion that, if font-src wasn't explicitly
> > specified, it should take the value of style-src, if specified, before it
> > takes the value of default-src.
> >
> >  I notice this isn't in the current 1.1 draft.  Did this just get
> forgotten
> > along the way because we forgot to track an action for it, or was it
> > deliberately rejected?  (it would've been the first and only
> > multiply-cascaded directive)
> >
> >   Would anybody like to jog my memory, or give their $0.02 on the matter
> > today?
> >
> > -Brad
>

Received on Wednesday, 4 December 2013 06:41:55 UTC