- From: Jeffrey Yasskin <jyasskin@google.com>
- Date: Sat, 9 May 2015 07:31:31 -0500
- To: Austin William Wright <aaa@bzfx.net>
- Cc: Anne van Kesteren <annevk@annevk.nl>, Joel Weinberger <jww@chromium.org>, Wendy Seltzer <wseltzer@w3.org>, Frederik Braun <fbraun@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
On Sat, May 9, 2015 at 1:33 AM, Austin William Wright <aaa@bzfx.net> wrote: > > > On Fri, May 8, 2015 at 10:13 PM, Anne van Kesteren <annevk@annevk.nl> wrote: >> >> On Fri, May 8, 2015 at 11:59 PM, Austin William Wright <aaa@bzfx.net> >> wrote: >> > [I]t's not safe to use SRI as an >> > excuse to relax existing security precautions: SRI supplements existing >> > security, it doesn't replace existing security. >> >> You cannot both argue that and argue for breaking SOP. > > > Says who? > > Any anonymous, SRI'd request I can make to a remote server, I can proxy > through my own server. Reading https://annevankesteren.nl/2015/02/same-origin-policy would help you respond to the actual reasons for SOP.
Received on Saturday, 9 May 2015 12:32:20 UTC