W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: SRI and CORS

From: Mike West <mkwst@google.com>
Date: Thu, 3 Jul 2014 15:31:27 +0200
Message-ID: <CAKXHy=c+bVUiHC44puOUAc5syPbFHPXHv+gKKCM1JuWZKOkazQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Adam Langley <agl@google.com>, WebAppSec WG <public-webappsec@w3.org>
Mitigation ideas welcome:
http://www.w3.org/TR/SRI/#cross-origin-data-leakage-1

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Thu, Jul 3, 2014 at 3:28 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> Thanks AGL for killing the idea so quickly.
>
> On Thu, Jul 3, 2014 at 3:25 PM, Mike West <mkwst@google.com> wrote:
> > This is a problem with SRI generally. If you can determine that the load
> > failed (and you can), then you can do this without the CORS bypass.
>
> That does seem like a problem. Maybe SRI should not work if request's
> mode is no CORS.
>
>
> --
> http://annevankesteren.nl/
>
Received on Thursday, 3 July 2014 13:32:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC