W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: SRI and CORS

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 3 Jul 2014 11:50:09 +0200
Message-ID: <CADnb78jhOpAbNJ1eCPehXk5Csj++K80ij7F88-BdiwJ65Vnhyw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Jul 3, 2014 at 11:44 AM, Mike West <mkwst@google.com> wrote:
> I also think we should defer considering it until after we figure out if SRI
> is going to work at all. There are enough security-folk reasons to be
> worried about it; I'd like to put off adding fuel to that fire. :)

Fair. Opting into SRI could also opt into other things perhaps. Such
as not sending credentials, setting the same-origin data URL flag,
unsetting the authentication flag. Anyway, probably best to wait a bit
until we see what happens with implementations.

Received on Thursday, 3 July 2014 09:50:36 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC