Re: SRI and CORS

Probably reasonable. I defer to Dev, Freddy, and Joel who are deeper in SRI
than I am at the moment.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Thu, Jul 3, 2014 at 3:35 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Thu, Jul 3, 2014 at 3:31 PM, Mike West <mkwst@google.com> wrote:
> > Mitigation ideas welcome:
> > http://www.w3.org/TR/SRI/#cross-origin-data-leakage-1
>
> Well, what about what I suggested? If you require mode to be CORS or
> same-origin (and outlaw no CORS), you know that the contents of the
> resource can be shared and as such the hash of those contents can be
> shared too.
>
>
> --
> http://annevankesteren.nl/
>

Received on Thursday, 3 July 2014 13:41:43 UTC