Re: [SRI] Requiring CORS for SRI from Wendy Seltzer on 2015-05-07 (public-webappsec@w3.org from May 2015)

From: Wendy Seltzer <wseltzer@w3.org>
Date: Thu, 07 May 2015 06:14:37 -0400
To: Anne van Kesteren <annevk@annevk.nl>
CC: Frederik Braun <fbraun@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <554B3B0D.70203@w3.org>

On 05/07/2015 06:11 AM, Anne van Kesteren wrote:
> On Thu, May 7, 2015 at 12:05 PM, Wendy Seltzer <wseltzer@w3.org> wrote:
>> Can't we do the fetch without authentication?
> 
> You already do that, that's what crossorigin=anonymous does. Firewalls
> are the problem, as I said so many times now... I recommend that
> everyone that does not realize that CORS is required here takes a
> crash course in web security. Here's a start:
> 
>   https://annevankesteren.nl/2015/02/same-origin-policy

Sure firewalls are the problem. So say that those behind firewalls
should fix their resource control in a way that doesn't require those in
the open to add headers to make their resources truly open.

--Wendy
> 
> 


-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)

Received on Thursday, 7 May 2015 10:14:50 UTC