W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: SRI and CORS

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 3 Jul 2014 15:35:47 +0200
Message-ID: <CADnb78j5WvZ4XVeqN5w+rJoVEaCGSbNF+gtxkOFKPgvcA0E9OQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Adam Langley <agl@google.com>, WebAppSec WG <public-webappsec@w3.org>
On Thu, Jul 3, 2014 at 3:31 PM, Mike West <mkwst@google.com> wrote:
> Mitigation ideas welcome:
> http://www.w3.org/TR/SRI/#cross-origin-data-leakage-1

Well, what about what I suggested? If you require mode to be CORS or
same-origin (and outlaw no CORS), you know that the contents of the
resource can be shared and as such the hash of those contents can be
shared too.

Received on Thursday, 3 July 2014 13:36:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC