W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2015

Re: [SRI] Requiring CORS for SRI

From: Frederik Braun <fbraun@mozilla.com>
Date: Thu, 07 May 2015 10:28:59 +0200
Message-ID: <554B224B.9060509@mozilla.com>
To: public-webappsec@w3.org
On 07.05.2015 08:17, Francois Marier wrote:
> On 07/05/15 06:17, Tanvi Vyas wrote:
>> Requiring CORS is an unfortunate constraint because web developers
>> cannot use SRI on all the third-party javascript embedded on their
>> page.  They have to reach out to each third-party and ask that they set
>> the CORS header.
> 
> Thanks for raising this Tanvi. I'm also worried about the impact that
> this will have on adoption.

I am hopeful that we can tackle parts of this with outreach.
I'm not a great evangelist, but I started talking to the jQuery/MaxCDN
folks and I'm happy to bring this further.

A lot of other CDNs already send ACAO: *.
Received on Thursday, 7 May 2015 08:29:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC