W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2015

Re: SRI: Behavior when a developer fails to specify CORS

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 11 Jun 2015 08:46:52 +0200
Message-ID: <CADnb78gAofxN6TWMMVWJLCnFi6bpaRxE4iyDBtv_uu2yV-qyFg@mail.gmail.com>
To: Joel Weinberger <jww@chromium.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Jun 11, 2015 at 7:39 AM, Joel Weinberger <jww@chromium.org> wrote:
> FWIW, the status quo is (1). At least a majority of the editors lean towards
> (1) as well since we can adjust in the future in a forwards compatible way,
> but we want to check in with the community to see what we're missing here.
> Again, you can check out the GitHub issue for all the juicy details of our
> back-and-forth.

Given the compatibility argument, (1) would be safest there too.
Otherwise e.g. painting

  <img integrity=...>

on a <canvas> and then exporting it would fail in older user agents
while it would work in newer user agents that get that integrity
implies crossorigin. (You can think of similar examples with <script>
and remote debugging or <link rel=stylesheet> and CSSOM.)

Received on Thursday, 11 June 2015 06:47:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC