W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: SRI fail open behaviour

From: Francois Marier <francois@mozilla.com>
Date: Mon, 27 Jul 2015 15:31:31 -0700
Message-ID: <55B6B143.105@mozilla.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 27/07/15 02:36 PM, Joel Weinberger wrote:
>    1) Should crossorigin=anonymous be implicit in all requests (unless
> same-origin or explicitly set by the developer?
> 
> To (1), there doesn't appear to be consensus (although notably I believe
> all of the editors agree it should *not* be implicit). I'm not sure how
> to resolve this at this point, so any suggestions would be welcome. My
> thought is that since this would be an additional "feature," we should
> default to not include it if we can't come to consensus, but I'm biased
> since I don't want it anyway :-)

I can see that making it implicit is much nicer for developers. It makes
the feature easier to use because you've only got one attribute to add
and (as long as your CDN provider is sending the header), you don't have
to understand or even know about CORS to use SRI.

On the other hand, perhaps there is value in exposing the fact that this
is a CORS load and reducing the amount of "magic" that will break when
the server isn't doing its part.

Francois
Received on Monday, 27 July 2015 22:32:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC