W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: SRI and CORS

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 3 Jul 2014 11:39:33 +0200
Message-ID: <CADnb78hJzJa-W8eM2AYyezbO=sXY-74ePO_mVQ3+EiBVRefW3A@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Jul 3, 2014 at 11:35 AM, Mike West <mkwst@google.com> wrote:
> By "get a hold of it", I guess you mean not returning an opaque response for
> known cross-origin data? And allowing things like canvas reads for images
> and unsanitized error handling for script?
> *shrug* Makes sense, I suppose. If you know what the content is already,
> then the risks which prevent us from letting you play with it are certainly
> less pressing.

Yeah I'm not sure if we should do this, really. I'm led to believe
most CDNs are happy with CORS these days. But if there's still a
significant fraction that is not, this might be a way out.

Received on Thursday, 3 July 2014 09:40:01 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC