W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: SRI and CORS

From: Frederik Braun <fbraun@mozilla.com>
Date: Thu, 03 Jul 2014 15:52:29 +0200
Message-ID: <53B5601D.5010104@mozilla.com>
To: public-webappsec@w3.org
On 03.07.2014 15:35, Anne van Kesteren wrote:
> On Thu, Jul 3, 2014 at 3:31 PM, Mike West <mkwst@google.com> wrote:
>> Mitigation ideas welcome:
>> http://www.w3.org/TR/SRI/#cross-origin-data-leakage-1
> 
> Well, what about what I suggested? If you require mode to be CORS or
> same-origin (and outlaw no CORS), you know that the contents of the
> resource can be shared and as such the hash of those contents can be
> shared too.
> 
> 

I can't think of an alternative solution. So, this means we can only
safely have SRI for resources that are CORS-enabled or same-origin?
Received on Thursday, 3 July 2014 13:52:58 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC