An attacker attacker.example can figure out what resources a stylesheet target.example loads by including it on attacker.example and using either the resource timing (shipped) or service worker (about to ship) API. This violates SOP. (@annevk)

• "no-cors" CSS SOP violation ServiceWorker#719
• https://bugzilla.mozilla.org/show_bug.cgi?id=1180145