- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 17 Jul 2014 10:12:48 +0200
- To: Brad Hill <hillbrad@gmail.com>
- Cc: Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Jul 16, 2014 at 4:35 PM, Brad Hill <hillbrad@gmail.com> wrote: > Well, valid JavaScript included via <script src=x> already is > opted-out of the same origin read policy, (except for comments) so we > could make the same exception for SRI. Since script integrity is one > of the most important use cases for SRI, it would make otherwise > mandating CORS-enabled less painful. This seems like a very bad idea. We should not expand the attack surface. The focus ought to be on tightening, not loosening, the security policies. -- http://annevankesteren.nl/
Received on Thursday, 17 July 2014 08:13:16 UTC