- From: Mountie Lee <mountie@paygate.net>
- Date: Wed, 12 Feb 2014 23:10:37 +0900
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAE-+aYKOWNLppGPgsNgmchUPu13TzsS75wAO8Lzg_OwFh3YRHg@mail.gmail.com>
On Wed, Feb 12, 2014 at 7:51 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Wed, Feb 12, 2014 at 12:05 AM, Mountie Lee <mountie@paygate.net> wrote: > > I have some questions. > > do we(these WebAppSec members) have discussed CORS for local resources? > > Web Storage (IDB, LocalStorage...) or other origin specific resources are > > bound to same origin. > > The storage areas are. The objects they store can be shared. > I think the Web Storages (localStorage, IDB and sessionStorage) can not be shared with other domain by CORS. http://stackoverflow.com/questions/20190114/does-cors-affects-localstorage > > > > I already reviewed postMessage or other cross-origin mechanisms. but > those > > are not the best. > > postMessage() is how you share JavaScript objects across origins. What > is the problem? > if we have two domains (trustca.com , mybank.com), the certificate key pair will be bound to trustca.com for certificate management the key reference(not key material which is not exportable normally) will be exposed to web storage (ex: IDB) which is bound to trustca.com domain when users first visit to mybank.com, no way to detect my keys in trustca.com's web storage. when users first visit to trustca.com, no way to share my keys with mybank.com even via CORS. because web storage is in UA's local and the keys are un-exportable. this is my problem. > > -- > http://annevankesteren.nl/ > -- Mountie Lee PayGate CTO, CISSP Tel : +82 2 2140 2700 E-Mail : mountie@paygate.net ======================================= PayGate Inc. THE STANDARD FOR ONLINE PAYMENT for Korea, Japan, China, and the World
Received on Wednesday, 12 February 2014 14:11:31 UTC