When working on Bug 909920 we realized that |aRequestingLocation| in ShouldLoad is different when loading images and fonts from a CSS file. For images: http://people.mozilla.org/~tvyas/darkreading.html aRequestingLocation is the CSS file. For fonts: http://people.mozilla.org/~tvyas/darkreading-font2.html aRequestingLocation in the HTML file. We think aRequestingLocation should be the CSS file in both cases.
Also, when you import css from css, I believe aRequestingLocation is the CSS file. http://people.mozilla.org/~tvyas/darkreading-style.html Christoph can confirm.
Summary: ShouldLoad inconsistency of aRequestingLocation between images and fonts → ShouldLoad inconsistency of aRequestingLocation between images and fonts requested from css files
I believe for fonts the HTML file was purposefully chosen because of the security-check behavior we wanted here. John should have the details...
Hrm, or maybe this part was Jonathan, actually, looking at the blame.
No, definitely John. See bug 457825 for the discussion.
Maybe the right answer is that we should use a different principal for the CheckMayLoad check and the content policy check. That has an immediate smell to me, though...
From the CSS Fonts spec: https://drafts.csswg.org/css-fonts/#font-fetching-requirements "When fetching, user agents must use "Anonymous" mode, set the referrer source to the stylesheet's URL and set the origin to the URL of the containing document."
You need to log in before you can comment on or make changes to this bug.