[css-font-loading] unclear how CSP interacts with font loads

[heycam]

I think we need to make clear that loads initiated by FontFace objects are affected by CSP font-src directives. The right way to do this is probably by using the Fetch algorithm in the spec.

We also need to clarify which window is used to perform the CSP check, when multiple windows are involved. For example, if a FontFace is created in an outer window, added to the FontFaceSet in an iframe, and then layout or a load() call on the FontFaceSet in that iframe's window happens, do we use the CSP directives from the outer window or the iframe? Using the Fetch algorithm would probably fix this too.

[heycam]

Chrome seems to use the CSP directives from the window that the FontFace was created in. Firefox currently uses the CSP directives from the window that triggers the FontFace load, but I plan to change to match Chrome.

[heycam]

Relatedly, which window we use as the initiator of the font load affects the referrer policy we should use.