W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: SRI fail open behaviour

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 28 Jul 2015 07:52:00 +0200
Message-ID: <CADnb78ia_0=jRbb2ufjh+CATvVwHAQW6xhSL4psVDjakeLxY=A@mail.gmail.com>
To: Joel Weinberger <jww@chromium.org>
Cc: Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jul 27, 2015 at 11:36 PM, Joel Weinberger <jww@chromium.org> wrote:
> It seems to me that we're all in consensus that without CORS, SRI should
> fail closed, [...]

Let me elaborate on what I said on GitHub. In broad strokes fetching
has three modes: "same-origin", "no-cors", and "cors". Most features
use "no-cors". What you are suggesting here is that if you specify
integrity="", it is actually "same-origin". Technically, I think your
proposed processing model is different and wouldn't reject
cross-origin -> same-origin redirects, but I don't think that violates
the same-origin policy this time around, although I don't think it was
a considered difference either.

So you are in effect changing the default, just not to "cors", but to
"same-origin". Seems somewhat arbitrary to me.

Received on Tuesday, 28 July 2015 05:52:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:50 UTC