- From: Frederik Braun <fbraun@mozilla.com>
- Date: Mon, 18 May 2015 15:41:50 +0200
- To: public-webappsec@w3.org
On 07.05.2015 10:28, Frederik Braun wrote: > On 07.05.2015 08:17, Francois Marier wrote: >> On 07/05/15 06:17, Tanvi Vyas wrote: >>> Requiring CORS is an unfortunate constraint because web developers >>> cannot use SRI on all the third-party javascript embedded on their >>> page. They have to reach out to each third-party and ask that they set >>> the CORS header. >> >> Thanks for raising this Tanvi. I'm also worried about the impact that >> this will have on adoption. > > I am hopeful that we can tackle parts of this with outreach. > I'm not a great evangelist, but I started talking to the jQuery/MaxCDN > folks and I'm happy to bring this further. > > A lot of other CDNs already send ACAO: *. > I had a chat with Adam Ulvi from jQuery last week and I am happy to report that code.jquery.com is now sending "Access-Control-Allow-Origin: *".
Received on Monday, 18 May 2015 13:42:27 UTC