W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2015

Re: [SRI] Requiring CORS for SRI

From: Wendy Seltzer <wseltzer@w3.org>
Date: Thu, 07 May 2015 06:05:33 -0400
Message-ID: <554B38ED.1060308@w3.org>
To: Frederik Braun <fbraun@mozilla.com>, public-webappsec@w3.org
On 05/07/2015 04:28 AM, Frederik Braun wrote:
> On 07.05.2015 08:17, Francois Marier wrote:
>> On 07/05/15 06:17, Tanvi Vyas wrote:
>>> Requiring CORS is an unfortunate constraint because web developers
>>> cannot use SRI on all the third-party javascript embedded on their
>>> page.  They have to reach out to each third-party and ask that they set
>>> the CORS header.
>>
>> Thanks for raising this Tanvi. I'm also worried about the impact that
>> this will have on adoption.
> 
> I am hopeful that we can tackle parts of this with outreach.
> I'm not a great evangelist, but I started talking to the jQuery/MaxCDN
> folks and I'm happy to bring this further.

If we can possibly avoid the hard CORS-dependency, that would be great.
I know TimBL has tried outreach to providers of open data or ontologies
who don't set CORS headers, without overwhelming success -- even though
the resources are designed to be open and mashed-up. Can't we do the
fetch without authentication?

--Wendy

> 
> A lot of other CDNs already send ACAO: *.
> 


-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)
Received on Thursday, 7 May 2015 10:05:47 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC