W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2015

Re: [SRI] Requiring CORS for SRI

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 7 May 2015 12:11:41 +0200
Message-ID: <CADnb78i0bSnKTAAYCgfZS705yVY3A937d93yAdMLuTHN39HgRQ@mail.gmail.com>
To: Wendy Seltzer <wseltzer@w3.org>
Cc: Frederik Braun <fbraun@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
On Thu, May 7, 2015 at 12:05 PM, Wendy Seltzer <wseltzer@w3.org> wrote:
> Can't we do the fetch without authentication?

You already do that, that's what crossorigin=anonymous does. Firewalls
are the problem, as I said so many times now... I recommend that
everyone that does not realize that CORS is required here takes a
crash course in web security. Here's a start:

  https://annevankesteren.nl/2015/02/same-origin-policy


-- 
https://annevankesteren.nl/
Received on Thursday, 7 May 2015 10:12:06 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC