- From: Frederik Braun <fbraun@mozilla.com>
- Date: Mon, 21 Jul 2014 01:05:02 -0700
- To: public-webappsec@w3.org
On 17.07.2014 01:12, Anne van Kesteren wrote: > On Wed, Jul 16, 2014 at 4:35 PM, Brad Hill <hillbrad@gmail.com> wrote: >> Well, valid JavaScript included via <script src=x> already is >> opted-out of the same origin read policy, (except for comments) so we >> could make the same exception for SRI. Since script integrity is one >> of the most important use cases for SRI, it would make otherwise >> mandating CORS-enabled less painful. > > This seems like a very bad idea. > > We should not expand the attack surface. The focus ought to be on > tightening, not loosening, the security policies. > > Hopefully our main SRI use case is untouched by this. Do most CDNs enable CORS? Though it's not a very common pattern to hand out different scripts based on a cookie, I have seen quite some appliances (media servers, router web interfaces) to dynamically embed secrets or config data in JavaScript. We better play safe and do not allow SRI for non-CORS.
Received on Monday, 21 July 2014 08:05:34 UTC