- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Wed, 8 Jan 2014 23:26:48 -0800
- To: Mike West <mkwst@google.com>
- Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Mark Nottingham <mnot@mnot.net>, Joel Weinberger <jww@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Frederik Braun <fbraun@mozilla.com>
> What is the mitigation that you're agreeing with, Michal? Only performing > integrity checks on resources delivered with explicitly public cache-control > or CORS headers? Well, Eduardo's take is that we should just require CORS and not dance around it. Maybe that would work, although it does require explicit cooperation of the third-party site that hosts a particular download, has a copy of jQuery, etc. I'd imagine this won't always be painless. An alternative would be to unconditionally fail if integrity= is specified and none of the following three conditions are met: 1) The subresource is same-origin with the requestor, 2) The subresource is publicly cacheable by proxies (either due to implicit caching rules, or due to Cache-Control), 3) There is a CORS header that explicitly permits this subresource to be accessed across origins. /mz
Received on Thursday, 9 January 2014 07:27:35 UTC