W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2015

Re: [SRI] Requiring CORS for SRI

From: Brad Hill <hillbrad@gmail.com>
Date: Thu, 07 May 2015 18:31:06 +0000
Message-ID: <CAEeYn8g9V657fpubS2=NPRrp0FWBhFPJBwHtrqEKrnOK+3sVxA@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>, Wendy Seltzer <wseltzer@w3.org>
Cc: Frederik Braun <fbraun@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Yes, Wendy, this is a big deal.  It is unfortunate, but there are lots of
enterprises that have a huge amount of sensitive information available with
poor access controls.  I'd like them to fix it, but building meaningful
access control for a legacy system is a much larger effort than the
comparable work for the open ontology people to just add an
Access-Control-Allow-Origin: * global header to their Apache config, and
the likely negative consequences of us opening that kind of security hole
for those systems are vastly vastly greater than the consequences of
preventing a few, lightly-used applications from accessing data that
doesn't set proper CORS headers.

On Thu, May 7, 2015 at 3:19 AM Anne van Kesteren <annevk@annevk.nl> wrote:

> On Thu, May 7, 2015 at 12:14 PM, Wendy Seltzer <wseltzer@w3.org> wrote:
> > Sure firewalls are the problem. So say that those behind firewalls
> > should fix their resource control in a way that doesn't require those in
> > the open to add headers to make their resources truly open.
>
> Yes, let's break all the things!
>
>
> --
> https://annevankesteren.nl/
>
>
Received on Thursday, 7 May 2015 18:31:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC