Re: SRI: Behavior when a developer fails to specify CORS

On Fri, Jun 12, 2015 at 12:10 AM Anne van Kesteren <annevk@annevk.nl> wrote:

> On Fri, Jun 12, 2015 at 5:21 AM, Joel Weinberger <jww@chromium.org> wrote:
> > Wouldn't these examples be compatible in all the cases, since the
> integrity
> > attribute is not defined for any of these elements?
>
> It is defined for <script> and <link rel=stylesheet>, no? And I'm sure
> it'll be defined for <img> too at some point at which point the
> reasoning applies. It seems useful to consider those future cases too.
>
I think I understand your point now. If we start silently applying
crossorigin=anonymous now with integrity, it might appear like it's working
in Chrome to a developer, for example, but it might only be working because
CORS is now used, while in an older version of Chrome, it might not be a
CORS request, and thus might fail. Is that an accurate summary?

>
>
> --
> https://annevankesteren.nl/
>

Received on Friday, 12 June 2015 17:08:07 UTC