W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2015

Re: [SRI] Requiring CORS for SRI

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 7 May 2015 06:35:32 +0200
Message-ID: <CADnb78giOu6XdyX3_MHWkMkN0UP0mSXznDi2JFODE30RBYWG=Q@mail.gmail.com>
To: Tanvi Vyas <tanvi@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, May 6, 2015 at 8:17 PM, Tanvi Vyas <tanvi@mozilla.com> wrote:
> Thoughts?

Please stop poking holes in SOP. If we think SOP is no longer
appropriate we should do something about that, but we should not poke
holes in it for each new thing that comes along. For now advocating
proper use of CORS seems like better use of our time.

The specification should probably point out that for resources behind
a firewall, CORS should only be used with an origin (not *) and only
for origins that are behind the same firewall.

Received on Thursday, 7 May 2015 04:35:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:49 UTC