cascadeRestrictions: misunderstood or not working?
-
guest
cascadeRestrictions: misunderstood or not working?
Hi! I set cascadeRestrictions to true and visit a website. All 1st and 3rd parties are using the default preset. Now I change 3rd party gstatic.com to trusted and it actually loads the fonts. Shouldn't it be blocked from doing so as the 1st party has fonts blocked, too?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
-
Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: cascadeRestrictions: misunderstood or not working?
cascadeRestrictions applies to subframes: "Any capability blocked in the top document must be blocked in its subdocuments too".
So if you enable the font capability for an origin that is loaded in in the top document (vs in a frame), it won't be affected.
So if you enable the font capability for an origin that is loaded in in the top document (vs in a frame), it won't be affected.
Mozilla/5.0 (X11; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
-
guest
Re: cascadeRestrictions: misunderstood or not working?
Thanks. What's the benefit of having it turned off by default?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
-
Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: cascadeRestrictions: misunderstood or not working?
Making "trusted" embeddings (e.g. Youtube videos, which are implemented as iframes now for security reasons) work even if embedded on less trusted pages.guest wrote: ↑Fri Sep 02, 2022 3:56 pm Thanks. What's the benefit of having it turned off by default?
Mozilla/5.0 (X11; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0