@@ -542,7 +542,7 @@ <h4 id="does-varresponsevar-match-varmetadatalistvar">Does <var>response</var> m
542
542
< a href ="#parse-metadata.x "> parsing < var > metadataList</ var > </ a > .</ li >
543
543
< li > If < var > parsedMetadata</ var > is < code > no metadata</ code > , return < code > true</ code > .</ li >
544
544
< li > If < a href ="#is-response-eligible-for-integrity-validation "> < var > response</ var > is not eligible for integrity
545
- validation</ a > , return < code > true </ code > .</ li >
545
+ validation</ a > , return < code > false </ code > .</ li >
546
546
< li > Let < var > metadata</ var > be the result of < a href ="#get-the-strongest-metadata-from-set.x "> getting the strongest
547
547
metadata from < var > parsedMetadata</ var > </ a > .</ li >
548
548
< li > For each < var > item</ var > in < var > metadata</ var > :
@@ -580,12 +580,10 @@ <h4 id="does-varresponsevar-match-varmetadatalistvar">Does <var>response</var> m
580
580
correctly, even if the HTTPS version of a resource differs from the HTTP
581
581
version.</ p >
582
582
583
- < p class ="note "> This algorithm returns < code > true</ code > if the response is not eligible for integrity
584
- validation, on the general principle that client errors (in this case, an
585
- attempt to validate the integrity of a response that is not accessible via
586
- same-origin or CORS) should fail open since they are not the result of an attack
587
- in the threat model of this specification. However, user agents SHOULD report
588
- a warning message about this failure in the developer console.</ p >
583
+ < p class ="note "> This algorithm returns < code > false</ code > if the response is not eligible for integrity
584
+ validation since Subresource Integrity requires CORS, and it is a logical error
585
+ to attempt to use it without CORS. Additionally, user agents SHOULD report a
586
+ warning message to the developer console to explain this failure.</ p >
589
587
590
588
</ section >
591
589
<!-- Algorithms::Match -->
@@ -865,9 +863,6 @@ <h3 id="cross-origin-data-leakage">Cross-origin data leakage</h3>
865
863
common usernames, and specify those hashes while repeatedly attempting
866
864
to load the document.</ p >
867
865
868
- < p > User agents SHOULD mitigate the risk by refusing to fire < code > error</ code > events
869
- on elements which loaded non-CORS cross-origin resources, but
870
- some side-channels will likely be difficult to avoid.</ p >
871
866
</ section >
872
867
<!-- /Security::cross-origin -->
873
868
0 commit comments