Attempting SRI against some domains which do not support CORS #147
Description
From Aaron Schiffer:
User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Steps to reproduce:
On our company website https://www.chemgenes.com, we attempted to apply subresource integrity to the "security seals" we currently display at the bottom -- these are cross-origin scripts issued by seal.digicert.com and seal.securetrust.com.
Actual results:
The domains do not support the CORS standard. Subresource Integrity could not be applied.
Expected results:
I expected they might support the CORS standard.
The paragraphs at https://infosec.mozilla.org/guidelines/web_security#subresource-integrity indicates, "if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf."
The resources offered may not constitute a CDN per se -- however, would Mozilla Information Security please still be able to contact these two entities, to request they support CORS?
Thank you.