W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2015

Re: SRI: Behavior when a developer fails to specify CORS

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sat, 13 Jun 2015 08:11:17 +0200
Message-ID: <CADnb78hUM6vOvLGp1p9v3DVH1k465cXjf-emCG0jsZgtmTaVjA@mail.gmail.com>
To: Joel Weinberger <jww@chromium.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Jun 12, 2015 at 7:07 PM, Joel Weinberger <jww@chromium.org> wrote:
> I think I understand your point now. If we start silently applying
> crossorigin=anonymous now with integrity, it might appear like it's working
> in Chrome to a developer, for example, but it might only be working because
> CORS is now used, while in an older version of Chrome, it might not be a
> CORS request, and thus might fail. Is that an accurate summary?

Roughly, in an older version of Chrome, or in fact any browser that
does not implement integrity, it won't use CORS and will fail if CORS
was used for anything besides integrity.

Received on Saturday, 13 June 2015 06:11:41 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC