Re: SRI and CORS from Mike West on 2014-07-03 (public-webappsec@w3.org from July 2014)

From: Mike West <mkwst@google.com>
Date: Thu, 3 Jul 2014 15:40:57 +0200
To: Anne van Kesteren <annevk@annevk.nl>, Devdatta Akhawe <dev.akhawe@gmail.com>, Joel Weinberger <jww@google.com>, Frederik Braun <fbraun@mozilla.com>
Cc: Adam Langley <agl@google.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAKXHy=dOAHMeT396_jz3nSH+0OB-LDY_WmN5h6JxEbEK3YaDug@mail.gmail.com>

Probably reasonable. I defer to Dev, Freddy, and Joel who are deeper in SRI
than I am at the moment.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Thu, Jul 3, 2014 at 3:35 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Thu, Jul 3, 2014 at 3:31 PM, Mike West <mkwst@google.com> wrote:
> > Mitigation ideas welcome:
> > http://www.w3.org/TR/SRI/#cross-origin-data-leakage-1
>
> Well, what about what I suggested? If you require mode to be CORS or
> same-origin (and outlaw no CORS), you know that the contents of the
> resource can be shared and as such the hash of those contents can be
> shared too.
>
>
> --
> http://annevankesteren.nl/
>

Received on Thursday, 3 July 2014 13:41:43 UTC