- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 3 Dec 2013 23:02:17 -0800
- To: Brad Hill <hillbrad@gmail.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>, sicking <sicking@mozilla.com>, Neil Matatall <neilm@twitter.com>
- Message-ID: <CA+c2ei9MygUtVgrBe7BZUyBQQZFWbthMmZkPiGDZn2kmRc8B-Q@mail.gmail.com>
Yup, that was it. Though explicitly specifying font-src would just let paranoids add additional restrictions, but would also let you add in font foundaries as additional allowed sources of fonts. I.e. the same way that img-src can both relax and tighten default-src. / Jonas On Dec 3, 2013 10:41 PM, "Brad Hill" <hillbrad@gmail.com> wrote: > Argh.. looking at the old minutes there isn't much, and I dimly recall > Jonas stepped in to chat during a break when we weren't minuting. > > I think the basic idea was that most folks consider fonts to be part of > styling a page, that they are likely t be loaded from imported CSS rather > than directly specified in the resource, and that the attack vectors we're > defending here are related, so it would be simpler and more intuitive for > most developers to have it work this way, and give font-src as a more > granular way for the paranoid to add additional restrictions if needed. > > But I could be remembering incorrectly after a year. I've cc'd him > directly, perhaps he can correct me. > > -Brad > > > On Tue, Dec 3, 2013 at 10:26 PM, Neil Matatall <neilm@twitter.com> wrote: > >> This seems to add unnecessary complexity, but maybe I don't understand >> the use case. >> >> On Tue, Dec 3, 2013 at 10:15 PM, Brad Hill <hillbrad@gmail.com> wrote: >> > As I was thinking about the frame-src, worker-src stuff, I remembered: >> > >> > A last year's TPAC in Lyon, we had Jonas Sicking visit us, and came to >> > rough consensus at his suggestion that, if font-src wasn't explicitly >> > specified, it should take the value of style-src, if specified, before >> it >> > takes the value of default-src. >> > >> > I notice this isn't in the current 1.1 draft. Did this just get >> forgotten >> > along the way because we forgot to track an action for it, or was it >> > deliberately rejected? (it would've been the first and only >> > multiply-cascaded directive) >> > >> > Would anybody like to jog my memory, or give their $0.02 on the matter >> > today? >> > >> > -Brad >> > >
Received on Wednesday, 4 December 2013 07:02:45 UTC