Re: SRI fail open behaviour

On Mon, Jul 27, 2015 at 11:36 PM, Joel Weinberger <jww@chromium.org> wrote:
> It seems to me that we're all in consensus that without CORS, SRI should
> fail closed, [...]

Let me elaborate on what I said on GitHub. In broad strokes fetching
has three modes: "same-origin", "no-cors", and "cors". Most features
use "no-cors". What you are suggesting here is that if you specify
integrity="", it is actually "same-origin". Technically, I think your
proposed processing model is different and wouldn't reject
cross-origin -> same-origin redirects, but I don't think that violates
the same-origin policy this time around, although I don't think it was
a considered difference either.

So you are in effect changing the default, just not to "cors", but to
"same-origin". Seems somewhat arbitrary to me.


-- 
https://annevankesteren.nl/

Received on Tuesday, 28 July 2015 05:52:27 UTC