W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: Subresource Integrity and fingerprinting

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 9 Jan 2014 13:20:49 +0000
Message-ID: <CADnb78jdsMY+o-SJVDBppO1x7ppDM64d00P+gZVhgpEtMo0ocQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Mark Nottingham <mnot@mnot.net>, Michal Zalewski <lcamtuf@coredump.cx>, Devdatta Akhawe <dev.akhawe@gmail.com>, Joel Weinberger <jww@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Frederik Braun <fbraun@mozilla.com>
On Thu, Jan 9, 2014 at 1:19 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Thu, Jan 9, 2014 at 8:16 AM, Mike West <mkwst@google.com> wrote:
>> Relying on CORS assumes that any sensitive data that should be available
>> cross-origin would have appropriate headers applied to any response.
>
> It's more complicated as you need to vary the CORS headers based on
> the request ("*" no longer works), but that is typically the case for
> sensitive data already.

I should have elaborated a bit. What I meant is that typically
sensitive data already varies based on the request due to it varying
based on credentials.


-- 
http://annevankesteren.nl/
Received on Thursday, 9 January 2014 13:21:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC