- From: Joel Weinberger <jww@chromium.org>
- Date: Fri, 12 Jun 2015 17:07:22 +0000
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Friday, 12 June 2015 17:08:07 UTC
On Fri, Jun 12, 2015 at 12:10 AM Anne van Kesteren <annevk@annevk.nl> wrote: > On Fri, Jun 12, 2015 at 5:21 AM, Joel Weinberger <jww@chromium.org> wrote: > > Wouldn't these examples be compatible in all the cases, since the > integrity > > attribute is not defined for any of these elements? > > It is defined for <script> and <link rel=stylesheet>, no? And I'm sure > it'll be defined for <img> too at some point at which point the > reasoning applies. It seems useful to consider those future cases too. > I think I understand your point now. If we start silently applying crossorigin=anonymous now with integrity, it might appear like it's working in Chrome to a developer, for example, but it might only be working because CORS is now used, while in an older version of Chrome, it might not be a CORS request, and thus might fail. Is that an accurate summary? > > > -- > https://annevankesteren.nl/ >
Received on Friday, 12 June 2015 17:08:07 UTC