Re: SRI and CORS

On Mon, Jul 21, 2014 at 10:05 AM, Frederik Braun <fbraun@mozilla.com> wrote:
> Hopefully our main SRI use case is untouched by this. Do most CDNs
> enable CORS?

I don't have statistics. I believe it has gotten a lot better.
Probably mostly if you are not dependent on credentials.


> Though it's not a very common pattern to hand out different scripts
> based on a cookie, I have seen quite some appliances (media servers,
> router web interfaces) to dynamically embed secrets or config data in
> JavaScript.
> We better play safe and do not allow SRI for non-CORS.

Agreed. The security policy we have to date is fragile and requires a
lot of care. Making it worse should not be an option.


-- 
http://annevankesteren.nl/

Received on Sunday, 27 July 2014 17:54:23 UTC