Merge pull request #437 from metromoxie/sri-fail-on-no-cors

Francois Marier · Francois Marier · commit 065b30d10f7e · 2015-08-11T08:51:23.000-07:00
Fail closed on CORS failures
diff --git a/specs/subresourceintegrity/index.html b/specs/subresourceintegrity/index.html
@@ -541,7 +541,7 @@ <h4 id="does-response-match-metadatalist">Does <var>response</var> match <var>me
 <a href="#parse-metadata">parsing <var>metadataList</var></a>.</li>
         <li>If <var>parsedMetadata</var> is <code>no metadata</code>, return <code>true</code>.</li>
         <li>If <a href="#is-response-eligible-for-integrity-validation"><var>response</var> is not eligible for integrity
-validation</a>, return <code>true</code>.</li>
+validation</a>, return <code>false</code>.</li>
         <li>Let <var>metadata</var> be the result of <a href="#get-the-strongest-metadata-from-set">getting the strongest
 metadata from <var>parsedMetadata</var></a>.</li>
         <li>For each <var>item</var> in <var>metadata</var>:
@@ -579,12 +579,10 @@ <h4 id="does-response-match-metadatalist">Does <var>response</var> match <var>me
 correctly, even if the HTTPS version of a resource differs from the HTTP
 version.</p>
 
-      <p class="note">This algorithm returns <code>true</code> if the response is not eligible for integrity
-validation, on the general principle that client errors (in this case, an
-attempt to validate the integrity of a response that is not accessible via
-same-origin or CORS) should fail open since they are not the result of an attack
-in the threat model of this specification. However, user agents SHOULD report
-a warning message about this failure in the developer console.</p>
+      <p class="note">This algorithm returns <code>false</code> if the response is not <a href="#is-response-eligible-for-integrity-validation">eligible</a> for integrity
+validation since Subresource Integrity requires CORS, and it is a logical error
+to attempt to use it without CORS. Additionally, user agents SHOULD report a
+warning message to the developer console to explain this failure.</p>
     </section>
     <!-- Algorithms::Match -->
   </section>
diff --git a/specs/subresourceintegrity/spec.markdown b/specs/subresourceintegrity/spec.markdown
@@ -419,7 +419,7 @@ the user agent.
     [parsing <var>metadataList</var>][parse].
 2.  If <var>parsedMetadata</var> is `no metadata`, return `true`.
 3.  If [<var>response</var> is not eligible for integrity
-    validation][eligible], return `true`.
+    validation][eligible], return `false`.
 4.  Let <var>metadata</var> be the result of [getting the strongest
     metadata from <var>parsedMetadata</var>][get-the-strongest].
 5.  For each <var>item</var> in <var>metadata</var>:
@@ -455,12 +455,10 @@ correctly, even if the HTTPS version of a resource differs from the HTTP
 version.
 {:.note}
 
-This algorithm returns `true` if the response is not eligible for integrity
-validation, on the general principle that client errors (in this case, an
-attempt to validate the integrity of a response that is not accessible via
-same-origin or CORS) should fail open since they are not the result of an attack
-in the threat model of this specification. However, user agents SHOULD report
-a warning message about this failure in the developer console.
+This algorithm returns `false` if the response is not [eligible] for integrity
+validation since Subresource Integrity requires CORS, and it is a logical error
+to attempt to use it without CORS. Additionally, user agents SHOULD report a
+warning message to the developer console to explain this failure.
 {:.note}
 </section><!-- Algorithms::Match -->
 </section><!-- Algorithms -->
