Re: [SRI] Requiring CORS for SRI

On 05/07/2015 06:11 AM, Anne van Kesteren wrote:
> On Thu, May 7, 2015 at 12:05 PM, Wendy Seltzer <wseltzer@w3.org> wrote:
>> Can't we do the fetch without authentication?
> 
> You already do that, that's what crossorigin=anonymous does. Firewalls
> are the problem, as I said so many times now... I recommend that
> everyone that does not realize that CORS is required here takes a
> crash course in web security. Here's a start:
> 
>   https://annevankesteren.nl/2015/02/same-origin-policy

Sure firewalls are the problem. So say that those behind firewalls
should fix their resource control in a way that doesn't require those in
the open to add headers to make their resources truly open.

--Wendy
> 
> 


-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)

Received on Thursday, 7 May 2015 10:14:50 UTC