W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: SRI and CORS

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sun, 27 Jul 2014 19:53:56 +0200
Message-ID: <CADnb78hE7MyOMU6x0SK8K+i8hs6FEp9hiUNPmUk_Yc5bGTBiSA@mail.gmail.com>
To: Frederik Braun <fbraun@mozilla.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Mon, Jul 21, 2014 at 10:05 AM, Frederik Braun <fbraun@mozilla.com> wrote:
> Hopefully our main SRI use case is untouched by this. Do most CDNs
> enable CORS?

I don't have statistics. I believe it has gotten a lot better.
Probably mostly if you are not dependent on credentials.


> Though it's not a very common pattern to hand out different scripts
> based on a cookie, I have seen quite some appliances (media servers,
> router web interfaces) to dynamically embed secrets or config data in
> JavaScript.
> We better play safe and do not allow SRI for non-CORS.

Agreed. The security policy we have to date is fragile and requires a
lot of care. Making it worse should not be an option.


-- 
http://annevankesteren.nl/
Received on Sunday, 27 July 2014 17:54:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC