W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2015

The jQuery CDN has enabled CORS (Re: [SRI] Requiring CORS for SRI)

From: Frederik Braun <fbraun@mozilla.com>
Date: Mon, 18 May 2015 15:41:50 +0200
Message-ID: <5559EC1E.3010203@mozilla.com>
To: public-webappsec@w3.org
On 07.05.2015 10:28, Frederik Braun wrote:
> On 07.05.2015 08:17, Francois Marier wrote:
>> On 07/05/15 06:17, Tanvi Vyas wrote:
>>> Requiring CORS is an unfortunate constraint because web developers
>>> cannot use SRI on all the third-party javascript embedded on their
>>> page.  They have to reach out to each third-party and ask that they set
>>> the CORS header.
>> Thanks for raising this Tanvi. I'm also worried about the impact that
>> this will have on adoption.
> I am hopeful that we can tackle parts of this with outreach.
> I'm not a great evangelist, but I started talking to the jQuery/MaxCDN
> folks and I'm happy to bring this further.
> A lot of other CDNs already send ACAO: *.

I had a chat with Adam Ulvi from jQuery last week and I am happy to
report that code.jquery.com is now sending "Access-Control-Allow-Origin: *".
Received on Monday, 18 May 2015 13:42:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:49 UTC