Re: [webappsec] Cascading style-src onto font-src in CSP

Yup, that was it. Though explicitly specifying font-src would just let
paranoids add additional restrictions, but would also let you add in font
foundaries as additional allowed sources of fonts.

I.e. the same way that img-src can both relax and tighten default-src.

/ Jonas
On Dec 3, 2013 10:41 PM, "Brad Hill" <> wrote:

> Argh.. looking at the old minutes there isn't much, and I dimly recall
> Jonas stepped in to chat during a break when we weren't minuting.
> I think the basic idea was that most folks consider fonts to be part of
> styling a page, that they are likely t be loaded from imported CSS rather
> than directly specified in the resource, and that the attack vectors we're
> defending here are related, so it would be simpler and more intuitive for
> most developers to have it work this way, and give font-src as a more
> granular way for the paranoid to add additional restrictions if needed.
> But I could be remembering incorrectly after a year.  I've cc'd him
> directly, perhaps he can correct me.
> -Brad
> On Tue, Dec 3, 2013 at 10:26 PM, Neil Matatall <> wrote:
>> This seems to add unnecessary complexity, but maybe I don't understand
>> the use case.
>> On Tue, Dec 3, 2013 at 10:15 PM, Brad Hill <> wrote:
>> > As I was thinking about the frame-src, worker-src stuff, I remembered:
>> >
>> >  A last year's TPAC in Lyon, we had Jonas Sicking visit us, and came to
>> > rough consensus at his suggestion that, if font-src wasn't explicitly
>> > specified, it should take the value of style-src, if specified, before
>> it
>> > takes the value of default-src.
>> >
>> >  I notice this isn't in the current 1.1 draft.  Did this just get
>> forgotten
>> > along the way because we forgot to track an action for it, or was it
>> > deliberately rejected?  (it would've been the first and only
>> > multiply-cascaded directive)
>> >
>> >   Would anybody like to jog my memory, or give their $0.02 on the matter
>> > today?
>> >
>> > -Brad

Received on Wednesday, 4 December 2013 07:02:45 UTC