- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 28 Jul 2015 07:52:00 +0200
- To: Joel Weinberger <jww@chromium.org>
- Cc: Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jul 27, 2015 at 11:36 PM, Joel Weinberger <jww@chromium.org> wrote: > It seems to me that we're all in consensus that without CORS, SRI should > fail closed, [...] Let me elaborate on what I said on GitHub. In broad strokes fetching has three modes: "same-origin", "no-cors", and "cors". Most features use "no-cors". What you are suggesting here is that if you specify integrity="", it is actually "same-origin". Technically, I think your proposed processing model is different and wouldn't reject cross-origin -> same-origin redirects, but I don't think that violates the same-origin policy this time around, although I don't think it was a considered difference either. So you are in effect changing the default, just not to "cors", but to "same-origin". Seems somewhat arbitrary to me. -- https://annevankesteren.nl/
Received on Tuesday, 28 July 2015 05:52:27 UTC