Re: The jQuery CDN has enabled CORS (Re: [SRI] Requiring CORS for SRI) from Brad Hill on 2015-05-18 (public-webappsec@w3.org from May 2015)

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 18 May 2015 20:36:55 +0000
To: Frederik Braun <fbraun@mozilla.com>, public-webappsec@w3.org
Message-ID: <CAEeYn8gTpfRmS0757qn6taT2Ss4T=yu=12-1ZiOESz3mVEt6XQ@mail.gmail.com>

Yay!

On Mon, May 18, 2015 at 6:43 AM Frederik Braun <fbraun@mozilla.com> wrote:

> On 07.05.2015 10:28, Frederik Braun wrote:
> > On 07.05.2015 08:17, Francois Marier wrote:
> >> On 07/05/15 06:17, Tanvi Vyas wrote:
> >>> Requiring CORS is an unfortunate constraint because web developers
> >>> cannot use SRI on all the third-party javascript embedded on their
> >>> page.  They have to reach out to each third-party and ask that they set
> >>> the CORS header.
> >>
> >> Thanks for raising this Tanvi. I'm also worried about the impact that
> >> this will have on adoption.
> >
> > I am hopeful that we can tackle parts of this with outreach.
> > I'm not a great evangelist, but I started talking to the jQuery/MaxCDN
> > folks and I'm happy to bring this further.
> >
> > A lot of other CDNs already send ACAO: *.
> >
>
> I had a chat with Adam Ulvi from jQuery last week and I am happy to
> report that code.jquery.com is now sending "Access-Control-Allow-Origin:
> *".
>
>
>

Received on Monday, 18 May 2015 20:37:23 UTC