Re: [SRI] Requiring CORS for SRI

On Fri, May 8, 2015 at 11:40 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Sat, May 9, 2015 at 8:33 AM, Austin William Wright <aaa@bzfx.net>
> wrote:
> > Any anonymous, SRI'd request I can make to a remote server, I can proxy
> > through my own server.
>
> Actually no, you can't. That's why we have SOP.
>
>
Perhaps an illustration is in order. I would like to get the contents of
third-party server <http://example.net/>, but alas, they don't serve CORS
headers. No problem, I set up my server to forward un-credentialed requests
using a custom syntax, and I make the request instead to <
https://example.com//http://example.net/>. I see the contents and can hash
them, and if it's a script I can throw it inside a <script> tag.

The code is wonderfully simple: <
http://blog.javascripting.com/2015/01/17/dont-hassle-with-cors/>

See how I'm presenting a mixed-content response to the user as if it's
secure? Isn't that kind of evil? Just a little bit?

Shouldn't we be a little concerned there's people saying "Don't hassle with
CORS," often creating giant open proxies in the process?

Received on Saturday, 9 May 2015 07:14:53 UTC