- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Sun, 27 Jul 2014 19:53:56 +0200
- To: Frederik Braun <fbraun@mozilla.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Mon, Jul 21, 2014 at 10:05 AM, Frederik Braun <fbraun@mozilla.com> wrote: > Hopefully our main SRI use case is untouched by this. Do most CDNs > enable CORS? I don't have statistics. I believe it has gotten a lot better. Probably mostly if you are not dependent on credentials. > Though it's not a very common pattern to hand out different scripts > based on a cookie, I have seen quite some appliances (media servers, > router web interfaces) to dynamically embed secrets or config data in > JavaScript. > We better play safe and do not allow SRI for non-CORS. Agreed. The security policy we have to date is fragile and requires a lot of care. Making it worse should not be an option. -- http://annevankesteren.nl/
Received on Sunday, 27 July 2014 17:54:23 UTC