Page 1 of 1
cascadeRestrictions: misunderstood or not working?
Posted: Thu Sep 01, 2022 4:09 pm
by guest
Hi! I set cascadeRestrictions to true and visit a website. All 1st and 3rd parties are using the default preset. Now I change 3rd party gstatic.com to trusted and it actually loads the fonts. Shouldn't it be blocked from doing so as the 1st party has fonts blocked, too?
Re: cascadeRestrictions: misunderstood or not working?
Posted: Thu Sep 01, 2022 4:19 pm
by Giorgio Maone
cascadeRestrictions applies to subframes: "Any capability blocked in the top document must be blocked in its subdocuments too".
So if you enable the font capability for an origin that is loaded in in the top document (vs in a frame), it won't be affected.
Re: cascadeRestrictions: misunderstood or not working?
Posted: Fri Sep 02, 2022 3:56 pm
by guest
Thanks. What's the benefit of having it turned off by default?
Re: cascadeRestrictions: misunderstood or not working?
Posted: Fri Sep 02, 2022 4:21 pm
by Giorgio Maone
guest wrote: ↑Fri Sep 02, 2022 3:56 pm
Thanks. What's the benefit of having it turned off by default?
Making "trusted" embeddings (e.g. Youtube videos, which are implemented as iframes now for security reasons) work even if embedded on less trusted pages.