- From: David Benjamin <notifications@github.com>
- Date: Mon, 13 Jul 2015 11:34:49 -0700
- To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Received on Monday, 13 July 2015 18:35:20 UTC
Oh yuck. Yeah, I think I agree with Anne that we should remove these requests from SW and Resource Timing unless you add the `crossorigin` attribute. These kinds of "the contents are secret, but if they happen to parse as foo, you can execute it" security policies are super-hairy. We shouldn't add new ones. In fact, cross-origin CSS has already bitten us in the past because the CSS parser is extremely error-tolerant. See https://www.linshunghuang.com/papers/css.pdf --- Reply to this email directly or view it on GitHub: https://github.com/slightlyoff/ServiceWorker/issues/719#issuecomment-121017240
Received on Monday, 13 July 2015 18:35:20 UTC