Re: SRI: Behavior when a developer fails to specify CORS

On Fri, Jun 12, 2015 at 7:07 PM, Joel Weinberger <> wrote:
> I think I understand your point now. If we start silently applying
> crossorigin=anonymous now with integrity, it might appear like it's working
> in Chrome to a developer, for example, but it might only be working because
> CORS is now used, while in an older version of Chrome, it might not be a
> CORS request, and thus might fail. Is that an accurate summary?

Roughly, in an older version of Chrome, or in fact any browser that
does not implement integrity, it won't use CORS and will fail if CORS
was used for anything besides integrity.


Received on Saturday, 13 June 2015 06:11:41 UTC