- From: Mike West <mkwst@google.com>
- Date: Thu, 3 Jul 2014 15:31:27 +0200
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Adam Langley <agl@google.com>, WebAppSec WG <public-webappsec@w3.org>
Received on Thursday, 3 July 2014 13:32:16 UTC
Mitigation ideas welcome: http://www.w3.org/TR/SRI/#cross-origin-data-leakage-1 -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Thu, Jul 3, 2014 at 3:28 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > Thanks AGL for killing the idea so quickly. > > On Thu, Jul 3, 2014 at 3:25 PM, Mike West <mkwst@google.com> wrote: > > This is a problem with SRI generally. If you can determine that the load > > failed (and you can), then you can do this without the CORS bypass. > > That does seem like a problem. Maybe SRI should not work if request's > mode is no CORS. > > > -- > http://annevankesteren.nl/ >
Received on Thursday, 3 July 2014 13:32:16 UTC