SRI: explore the idea of removing the CORS requirement #338
Comments
|
No, that doesn't solve a thing. Again, the reason we have CORS is firewalls. |
|
You already strip out cookies and auth by advocating |
|
As cool as it would be not to require CORS, I don't think there's a way to do that. I'll do the work and explain the problem once again. I'd like to close this issue as WONTFIX, but I'm happy to continue the conversation first. |
|
Mike certainly didn't mean to suggest that we just throw away cookies and call it done. I think instead the suggestion was that if @metromoxie pointed out to me yesterday that that behavior might block future improvements, however, which is worth thinking about. |
|
We could maybe consider defaulting later on, but requiring it separately for now seems appropriate. Although I do wonder what improvements @metromoxie had in mind. |
|
I wouldn't call them 'improvements' per se, but if we ever did decide to make a change that allowed breakage of SOP (such as by publicly cacheable), building crossorigin='anonymous' into SRI would be problematic, as you'd now be locked into CORS permanently. In any case, I'd want to just have a much more thorough discussion about wanting CORS forevermore going forward before making it the default. |
I think that's key. Making CORS mandatory is the best solution we've found so far to the problem that @mozfreddyb described. If we can specify this requirement such that it could be dropped in the future without breaking existing pages on older browsers, then that would be ideal. |
<{.../...}> syntax ought to support all valid attribute/element characters.
|
I think we can consider this closed/wontfix since we decided to fail closed when CORS attributes are missing on a cross-origin load. |
During the last teleconf, @mikewest suggested that we may want to revisit the CORS requirement in the next version of the spec if we strip out cookies and auth in these requests.
The text was updated successfully, but these errors were encountered: