W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2015

Re: SRI: Behavior when a developer fails to specify CORS

From: Joel Weinberger <jww@chromium.org>
Date: Fri, 12 Jun 2015 17:07:22 +0000
Message-ID: <CAHQV2KnOsL=74x4_p0-cXQX2ObMvOa-1K5CgoYB391WXWDR2dA@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Jun 12, 2015 at 12:10 AM Anne van Kesteren <annevk@annevk.nl> wrote:

> On Fri, Jun 12, 2015 at 5:21 AM, Joel Weinberger <jww@chromium.org> wrote:
> > Wouldn't these examples be compatible in all the cases, since the
> integrity
> > attribute is not defined for any of these elements?
>
> It is defined for <script> and <link rel=stylesheet>, no? And I'm sure
> it'll be defined for <img> too at some point at which point the
> reasoning applies. It seems useful to consider those future cases too.
>
I think I understand your point now. If we start silently applying
crossorigin=anonymous now with integrity, it might appear like it's working
in Chrome to a developer, for example, but it might only be working because
CORS is now used, while in an older version of Chrome, it might not be a
CORS request, and thus might fail. Is that an accurate summary?

>
>
> --
> https://annevankesteren.nl/
>
Received on Friday, 12 June 2015 17:08:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC