- From: Francois Marier <francois@mozilla.com>
- Date: Mon, 27 Jul 2015 15:31:31 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 27/07/15 02:36 PM, Joel Weinberger wrote: > 1) Should crossorigin=anonymous be implicit in all requests (unless > same-origin or explicitly set by the developer? > > To (1), there doesn't appear to be consensus (although notably I believe > all of the editors agree it should *not* be implicit). I'm not sure how > to resolve this at this point, so any suggestions would be welcome. My > thought is that since this would be an additional "feature," we should > default to not include it if we can't come to consensus, but I'm biased > since I don't want it anyway :-) I can see that making it implicit is much nicer for developers. It makes the feature easier to use because you've only got one attribute to add and (as long as your CDN provider is sending the header), you don't have to understand or even know about CORS to use SRI. On the other hand, perhaps there is value in exposing the fact that this is a CORS load and reducing the amount of "magic" that will break when the server isn't doing its part. Francois
Received on Monday, 27 July 2015 22:32:04 UTC