Re: [SRI] Requiring CORS for SRI

On Wed, May 6, 2015 at 8:42 PM, Brad Hill <> wrote:
> There may be a few loopholes regarding client certificate resources or
> network topology based ambient authority, but they are really edge cases,
> and hopefully the risk of combining those scenarios with an admin who thinks
> it is legitimate to set ACAO:* for the purposes of SRI is vanishingly small.

Client certificates are considered credentials per Fetch (and therefore CORS).

The exceptions are a) firewalls and b) IP-based authentication.

> One thing the spec doesn't make clear, which I'm actually working on test
> cases for at this very moment, is what if the fetch mode was CORS, but was
> fetched with crossorigin='use-credentials'?  This doesn't seem to be
> explicitly forbidden by the spec, though there are no examples of this.  Is
> it intentional that this might be possible?  I'm not sure there is any
> security impact (the resource's contents could already be viewed if the
> checks passed) but am just curious.

If only the specification were written in terms of Fetch... But yes,
that should totally work.


Received on Thursday, 7 May 2015 04:38:03 UTC