Re: [SRI] Requiring CORS for SRI

On 05/07/2015 06:11 AM, Anne van Kesteren wrote:
> On Thu, May 7, 2015 at 12:05 PM, Wendy Seltzer <> wrote:
>> Can't we do the fetch without authentication?
> You already do that, that's what crossorigin=anonymous does. Firewalls
> are the problem, as I said so many times now... I recommend that
> everyone that does not realize that CORS is required here takes a
> crash course in web security. Here's a start:

Sure firewalls are the problem. So say that those behind firewalls
should fix their resource control in a way that doesn't require those in
the open to add headers to make their resources truly open.


Wendy Seltzer -- +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)        +1.617.863.0613 (mobile)

Received on Thursday, 7 May 2015 10:14:50 UTC