W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: SRI fail open behaviour

From: Jonathan Kingston <jonathan@jooped.com>
Date: Mon, 27 Jul 2015 22:41:33 +0000
Message-ID: <CAKrjaaWkA+cpTj5c79oqnE_STA3J4iBjQmx15UPT_gS7UBTTgg@mail.gmail.com>
To: Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
1) I'm on the fence here regarding this; the implicit property does seem
very appealing.
There are advantages to having implicit to help developers choose
'anonymous' rather than 'with-credentials'. Also to reduce the chance of
misconfigured attributes.
The disadvantage is users need to be aware of the CORS requirement which
currently isn't something most developers need to consider in HTML
(Although this is mostly a CORS protection here).

2) I can see both sides to this. As mentioned I would be very happy for an
option/attribute to fail-close on unknown/invalid hashes.

I'm sorry this all got dredged up again Joel.

Kind regards

On Mon, 27 Jul 2015 at 23:33 Francois Marier <francois@mozilla.com> wrote:

> On 27/07/15 02:36 PM, Joel Weinberger wrote:
> >    1) Should crossorigin=anonymous be implicit in all requests (unless
> > same-origin or explicitly set by the developer?
> >
> > To (1), there doesn't appear to be consensus (although notably I believe
> > all of the editors agree it should *not* be implicit). I'm not sure how
> > to resolve this at this point, so any suggestions would be welcome. My
> > thought is that since this would be an additional "feature," we should
> > default to not include it if we can't come to consensus, but I'm biased
> > since I don't want it anyway :-)
> I can see that making it implicit is much nicer for developers. It makes
> the feature easier to use because you've only got one attribute to add
> and (as long as your CDN provider is sending the header), you don't have
> to understand or even know about CORS to use SRI.
> On the other hand, perhaps there is value in exposing the fact that this
> is a CORS load and reducing the amount of "magic" that will break when
> the server isn't doing its part.
> Francois
Received on Monday, 27 July 2015 22:42:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:50 UTC