Re: [SRI] Requiring CORS for SRI from Austin William Wright on 2015-05-09 (public-webappsec@w3.org from May 2015)

From: Austin William Wright <aaa@bzfx.net>
Date: Sat, 9 May 2015 00:14:18 -0700
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Joel Weinberger <jww@chromium.org>, Wendy Seltzer <wseltzer@w3.org>, Frederik Braun <fbraun@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CANkuk-WYfQqzQyu6bR5yjbo8hzR9mN3bpm2ZYyrFr_LizoqQmw@mail.gmail.com>

On Fri, May 8, 2015 at 11:40 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Sat, May 9, 2015 at 8:33 AM, Austin William Wright <aaa@bzfx.net>
> wrote:
> > Any anonymous, SRI'd request I can make to a remote server, I can proxy
> > through my own server.
>
> Actually no, you can't. That's why we have SOP.
>
>
Perhaps an illustration is in order. I would like to get the contents of
third-party server <http://example.net/>, but alas, they don't serve CORS
headers. No problem, I set up my server to forward un-credentialed requests
using a custom syntax, and I make the request instead to <
https://example.com//http://example.net/>. I see the contents and can hash
them, and if it's a script I can throw it inside a <script> tag.

The code is wonderfully simple: <
http://blog.javascripting.com/2015/01/17/dont-hassle-with-cors/>

See how I'm presenting a mixed-content response to the user as if it's
secure? Isn't that kind of evil? Just a little bit?

Shouldn't we be a little concerned there's people saying "Don't hassle with
CORS," often creating giant open proxies in the process?

Received on Saturday, 9 May 2015 07:14:53 UTC