- From: Brad Hill <hillbrad@gmail.com>
- Date: Mon, 18 May 2015 20:36:55 +0000
- To: Frederik Braun <fbraun@mozilla.com>, public-webappsec@w3.org
Received on Monday, 18 May 2015 20:37:23 UTC
Yay! On Mon, May 18, 2015 at 6:43 AM Frederik Braun <fbraun@mozilla.com> wrote: > On 07.05.2015 10:28, Frederik Braun wrote: > > On 07.05.2015 08:17, Francois Marier wrote: > >> On 07/05/15 06:17, Tanvi Vyas wrote: > >>> Requiring CORS is an unfortunate constraint because web developers > >>> cannot use SRI on all the third-party javascript embedded on their > >>> page. They have to reach out to each third-party and ask that they set > >>> the CORS header. > >> > >> Thanks for raising this Tanvi. I'm also worried about the impact that > >> this will have on adoption. > > > > I am hopeful that we can tackle parts of this with outreach. > > I'm not a great evangelist, but I started talking to the jQuery/MaxCDN > > folks and I'm happy to bring this further. > > > > A lot of other CDNs already send ACAO: *. > > > > I had a chat with Adam Ulvi from jQuery last week and I am happy to > report that code.jquery.com is now sending "Access-Control-Allow-Origin: > *". > > >
Received on Monday, 18 May 2015 20:37:23 UTC