Re: [SRI] Requiring CORS for SRI from Austin William Wright on 2015-05-09 (public-webappsec@w3.org from May 2015)

From: Austin William Wright <aaa@bzfx.net>
Date: Fri, 8 May 2015 23:33:41 -0700
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Joel Weinberger <jww@chromium.org>, Wendy Seltzer <wseltzer@w3.org>, Frederik Braun <fbraun@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CANkuk-UgTiwzP2miO8jJt4eTA_1E6ZsiyVn4Se5=YEaJj-6tyQ@mail.gmail.com>

On Fri, May 8, 2015 at 10:13 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Fri, May 8, 2015 at 11:59 PM, Austin William Wright <aaa@bzfx.net>
> wrote:
> > [I]t's not safe to use SRI as an
> > excuse to relax existing security precautions: SRI supplements existing
> > security, it doesn't replace existing security.
>
> You cannot both argue that and argue for breaking SOP.

Says who?

Any anonymous, SRI'd request I can make to a remote server, I can proxy
through my own server.

SOP is dead.

Received on Saturday, 9 May 2015 06:34:09 UTC