- From: Mike West <mkwst@google.com>
- Date: Thu, 3 Jul 2014 11:35:17 +0200
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebAppSec WG <public-webappsec@w3.org>
Received on Thursday, 3 July 2014 09:36:04 UTC
By "get a hold of it", I guess you mean not returning an opaque response for known cross-origin data? And allowing things like canvas reads for images and unsanitized error handling for script? *shrug* Makes sense, I suppose. If you know what the content is already, then the risks which prevent us from letting you play with it are certainly less pressing. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Thu, Jul 3, 2014 at 11:02 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > It seems that if you can already proof what the bits of a resource > are, maybe you should be able to get hold of it with all the benefits > of CORS. Probably given a secure enough hash algorithm. Have people > been thinking about this? > > > -- > http://annevankesteren.nl/ > >
Received on Thursday, 3 July 2014 09:36:04 UTC