W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2015

Re: [SRI] Requiring CORS for SRI

From: Austin William Wright <aaa@bzfx.net>
Date: Sat, 9 May 2015 00:14:18 -0700
Message-ID: <CANkuk-WYfQqzQyu6bR5yjbo8hzR9mN3bpm2ZYyrFr_LizoqQmw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Joel Weinberger <jww@chromium.org>, Wendy Seltzer <wseltzer@w3.org>, Frederik Braun <fbraun@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
On Fri, May 8, 2015 at 11:40 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Sat, May 9, 2015 at 8:33 AM, Austin William Wright <aaa@bzfx.net>
> wrote:
> > Any anonymous, SRI'd request I can make to a remote server, I can proxy
> > through my own server.
> Actually no, you can't. That's why we have SOP.
Perhaps an illustration is in order. I would like to get the contents of
third-party server <http://example.net/>, but alas, they don't serve CORS
headers. No problem, I set up my server to forward un-credentialed requests
using a custom syntax, and I make the request instead to <
https://example.com//http://example.net/>. I see the contents and can hash
them, and if it's a script I can throw it inside a <script> tag.

The code is wonderfully simple: <

See how I'm presenting a mixed-content response to the user as if it's
secure? Isn't that kind of evil? Just a little bit?

Shouldn't we be a little concerned there's people saying "Don't hassle with
CORS," often creating giant open proxies in the process?
Received on Saturday, 9 May 2015 07:14:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:49 UTC