W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: SRI and CORS

From: Frederik Braun <fbraun@mozilla.com>
Date: Mon, 21 Jul 2014 01:05:02 -0700
Message-ID: <53CCC9AE.9000801@mozilla.com>
To: public-webappsec@w3.org
On 17.07.2014 01:12, Anne van Kesteren wrote:
> On Wed, Jul 16, 2014 at 4:35 PM, Brad Hill <hillbrad@gmail.com> wrote:
>> Well, valid JavaScript included via <script src=x> already is
>> opted-out of the same origin read policy, (except for comments) so we
>> could make the same exception for SRI.  Since script integrity is one
>> of the most important use cases for SRI, it would make otherwise
>> mandating CORS-enabled less painful.
> 
> This seems like a very bad idea.
> 
> We should not expand the attack surface. The focus ought to be on
> tightening, not loosening, the security policies.
> 
> 

Hopefully our main SRI use case is untouched by this. Do most CDNs
enable CORS?

Though it's not a very common pattern to hand out different scripts
based on a cookie, I have seen quite some appliances (media servers,
router web interfaces) to dynamically embed secrets or config data in
JavaScript.
We better play safe and do not allow SRI for non-CORS.
Received on Monday, 21 July 2014 08:05:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC