W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: SRI and CORS

From: Mike West <mkwst@google.com>
Date: Thu, 3 Jul 2014 11:35:17 +0200
Message-ID: <CAKXHy=fyOJC+=ZwO4UUVFWTL5rgc0wYf4z81ZwcAb11z6UNAhg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
By "get a hold of it", I guess you mean not returning an opaque response
for known cross-origin data? And allowing things like canvas reads for
images and unsanitized error handling for script?

*shrug* Makes sense, I suppose. If you know what the content is already,
then the risks which prevent us from letting you play with it are certainly
less pressing.


Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Thu, Jul 3, 2014 at 11:02 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> It seems that if you can already proof what the bits of a resource
> are, maybe you should be able to get hold of it with all the benefits
> of CORS. Probably given a secure enough hash algorithm. Have people
> been thinking about this?
> --
> http://annevankesteren.nl/
Received on Thursday, 3 July 2014 09:36:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC