Re: [SRI] Requiring CORS for SRI

On Fri, May 8, 2015 at 11:40 PM, Anne van Kesteren <> wrote:

> On Sat, May 9, 2015 at 8:33 AM, Austin William Wright <>
> wrote:
> > Any anonymous, SRI'd request I can make to a remote server, I can proxy
> > through my own server.
> Actually no, you can't. That's why we have SOP.
Perhaps an illustration is in order. I would like to get the contents of
third-party server <>, but alas, they don't serve CORS
headers. No problem, I set up my server to forward un-credentialed requests
using a custom syntax, and I make the request instead to <>. I see the contents and can hash
them, and if it's a script I can throw it inside a <script> tag.

The code is wonderfully simple: <>

See how I'm presenting a mixed-content response to the user as if it's
secure? Isn't that kind of evil? Just a little bit?

Shouldn't we be a little concerned there's people saying "Don't hassle with
CORS," often creating giant open proxies in the process?

Received on Saturday, 9 May 2015 07:14:53 UTC