Re: SRI: Behavior when a developer fails to specify CORS

On Thu, Jun 11, 2015 at 7:39 AM, Joel Weinberger <> wrote:
> FWIW, the status quo is (1). At least a majority of the editors lean towards
> (1) as well since we can adjust in the future in a forwards compatible way,
> but we want to check in with the community to see what we're missing here.
> Again, you can check out the GitHub issue for all the juicy details of our
> back-and-forth.

Given the compatibility argument, (1) would be safest there too.
Otherwise e.g. painting

  <img integrity=...>

on a <canvas> and then exporting it would fail in older user agents
while it would work in newer user agents that get that integrity
implies crossorigin. (You can think of similar examples with <script>
and remote debugging or <link rel=stylesheet> and CSSOM.)


Received on Thursday, 11 June 2015 06:47:17 UTC