Re: Subresource Integrity and fingerprinting

> What is the mitigation that you're agreeing with, Michal? Only performing
> integrity checks on resources delivered with explicitly public cache-control
> or CORS headers?

Well, Eduardo's take is that we should just require CORS and not dance
around it. Maybe that would work, although it does require explicit
cooperation of the third-party site that hosts a particular download,
has a copy of jQuery, etc. I'd imagine this won't always be painless.

An alternative would be to unconditionally fail if integrity= is
specified and none of the following three conditions are met:

1) The subresource is same-origin with the requestor,

2) The subresource is publicly cacheable by proxies (either due to
implicit caching rules, or due to Cache-Control),

3) There is a CORS header that explicitly permits this subresource to
be accessed across origins.


Received on Thursday, 9 January 2014 07:27:35 UTC