- From: Wendy Seltzer <wseltzer@w3.org>
- Date: Thu, 07 May 2015 06:05:33 -0400
- To: Frederik Braun <fbraun@mozilla.com>, public-webappsec@w3.org
On 05/07/2015 04:28 AM, Frederik Braun wrote: > On 07.05.2015 08:17, Francois Marier wrote: >> On 07/05/15 06:17, Tanvi Vyas wrote: >>> Requiring CORS is an unfortunate constraint because web developers >>> cannot use SRI on all the third-party javascript embedded on their >>> page. They have to reach out to each third-party and ask that they set >>> the CORS header. >> >> Thanks for raising this Tanvi. I'm also worried about the impact that >> this will have on adoption. > > I am hopeful that we can tackle parts of this with outreach. > I'm not a great evangelist, but I started talking to the jQuery/MaxCDN > folks and I'm happy to bring this further. If we can possibly avoid the hard CORS-dependency, that would be great. I know TimBL has tried outreach to providers of open data or ontologies who don't set CORS headers, without overwhelming success -- even though the resources are designed to be open and mashed-up. Can't we do the fetch without authentication? --Wendy > > A lot of other CDNs already send ACAO: *. > -- Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office) Policy Counsel and Domain Lead, World Wide Web Consortium (W3C) http://wendy.seltzer.org/ +1.617.863.0613 (mobile)
Received on Thursday, 7 May 2015 10:05:47 UTC