W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: SRI and CORS

From: Brad Hill <hillbrad@gmail.com>
Date: Wed, 16 Jul 2014 07:35:09 -0700
Message-ID: <CAEeYn8hO1cm_jJLpAyCzpehox8vGmUnwXZ5UEsBj6D4M19X70A@mail.gmail.com>
To: Frederik Braun <fbraun@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Well, valid JavaScript included via <script src=x> already is
opted-out of the same origin read policy, (except for comments) so we
could make the same exception for SRI.  Since script integrity is one
of the most important use cases for SRI, it would make otherwise
mandating CORS-enabled less painful.

On Thu, Jul 3, 2014 at 6:52 AM, Frederik Braun <fbraun@mozilla.com> wrote:
> On 03.07.2014 15:35, Anne van Kesteren wrote:
>> On Thu, Jul 3, 2014 at 3:31 PM, Mike West <mkwst@google.com> wrote:
>>> Mitigation ideas welcome:
>>> http://www.w3.org/TR/SRI/#cross-origin-data-leakage-1
>>
>> Well, what about what I suggested? If you require mode to be CORS or
>> same-origin (and outlaw no CORS), you know that the contents of the
>> resource can be shared and as such the hash of those contents can be
>> shared too.
>>
>>
>
> I can't think of an alternative solution. So, this means we can only
> safely have SRI for resources that are CORS-enabled or same-origin?
>
Received on Wednesday, 16 July 2014 14:35:37 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC