W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: SRI and CORS

From: Mike West <mkwst@google.com>
Date: Thu, 3 Jul 2014 11:44:56 +0200
Message-ID: <CAKXHy=eEHz1oK-X=x86Bx68gGx=p62AkUaHqdFGfyFHw5OJPaQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
I think it's worth considering.

I also think we should defer considering it until after we figure out if
SRI is going to work at all. There are enough security-folk reasons to be
worried about it; I'd like to put off adding fuel to that fire. :)

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Thu, Jul 3, 2014 at 11:39 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Thu, Jul 3, 2014 at 11:35 AM, Mike West <mkwst@google.com> wrote:
> > By "get a hold of it", I guess you mean not returning an opaque response
> for
> > known cross-origin data? And allowing things like canvas reads for images
> > and unsanitized error handling for script?
> >
> > *shrug* Makes sense, I suppose. If you know what the content is already,
> > then the risks which prevent us from letting you play with it are
> certainly
> > less pressing.
>
> Yeah I'm not sure if we should do this, really. I'm led to believe
> most CDNs are happy with CORS these days. But if there's still a
> significant fraction that is not, this might be a way out.
>
>
> --
> http://annevankesteren.nl/
>
Received on Thursday, 3 July 2014 09:45:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC