On Mon, Jul 21, 2014 at 10:05 AM, Frederik Braun <fbraun@mozilla.com> wrote: > Hopefully our main SRI use case is untouched by this. Do most CDNs > enable CORS? I don't have statistics. I believe it has gotten a lot better. Probably mostly if you are not dependent on credentials. > Though it's not a very common pattern to hand out different scripts > based on a cookie, I have seen quite some appliances (media servers, > router web interfaces) to dynamically embed secrets or config data in > JavaScript. > We better play safe and do not allow SRI for non-CORS. Agreed. The security policy we have to date is fragile and requires a lot of care. Making it worse should not be an option. -- http://annevankesteren.nl/Received on Sunday, 27 July 2014 17:54:23 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC