Re: SRI and CORS from Frederik Braun on 2014-07-03 (public-webappsec@w3.org from July 2014)

From: Frederik Braun <fbraun@mozilla.com>
Date: Thu, 03 Jul 2014 15:52:29 +0200
To: public-webappsec@w3.org
Message-ID: <53B5601D.5010104@mozilla.com>

On 03.07.2014 15:35, Anne van Kesteren wrote:
> On Thu, Jul 3, 2014 at 3:31 PM, Mike West <mkwst@google.com> wrote:
>> Mitigation ideas welcome:
>> http://www.w3.org/TR/SRI/#cross-origin-data-leakage-1
> 
> Well, what about what I suggested? If you require mode to be CORS or
> same-origin (and outlaw no CORS), you know that the contents of the
> resource can be shared and as such the hash of those contents can be
> shared too.
> 
> 

I can't think of an alternative solution. So, this means we can only
safely have SRI for resources that are CORS-enabled or same-origin?

Received on Thursday, 3 July 2014 13:52:58 UTC