Re: CORS for local resources from Mountie Lee on 2014-02-12 (public-webappsec@w3.org from February 2014)

From: Mountie Lee <mountie@paygate.net>
Date: Wed, 12 Feb 2014 23:29:18 +0900
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAE-+aY+rkU6_k74AUpiRO0SnQ_ssgM8q_tnUkpb1JykEqS-TZA@mail.gmail.com>

On Wed, Feb 12, 2014 at 11:18 PM, Anne van Kesteren <annevk@annevk.nl>wrote:

> On Wed, Feb 12, 2014 at 2:10 PM, Mountie Lee <mountie@paygate.net> wrote:
> > On Wed, Feb 12, 2014 at 7:51 PM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
> >> The storage areas are. The objects they store can be shared.
> >
> > I think the Web Storages (localStorage, IDB and sessionStorage) can not
> be
> > shared with other domain by CORS.
>
> CORS is a protocol over HTTP. So that statement does not even make sense.
>

current CORS protocol is applicable for remote resources not for local
resources.
my question is "is there any idea accessing local resources of domain-B by
setting CORS header from domain-A?"

>
> >> postMessage() is how you share JavaScript objects across origins. What
> >> is the problem?
> >
> > if we have two domains (trustca.com , mybank.com),
> > the certificate key pair will be bound to trustca.com for certificate
> > management
> > the key reference(not key material which is not exportable normally)
> will be
> > exposed to web storage (ex: IDB) which is bound to trustca.com domain
> > when users first visit to mybank.com, no way to detect my keys in
> > trustca.com's web storage.
> > when users first visit to trustca.com, no way to share my keys with
> > mybank.com even via CORS. because web storage is in UA's local and the
> keys
> > are un-exportable.
> >
> > this is my problem.
>
> This is not a very clear description. If trustca.com has access to its
> storage, why would it not be able to share those objects in some
> manner with mybank.com? If on trustca.com I store a string "x" in IDB,
> I can certainly postMessage() that to mybank.com if it decides to
> embed me or some such.
>

the key is very sensitive data.
normally it will be un-exportable.
in the storage, only an reference (pointer to key material which is managed
by UA and bound to specific domain) is exposed.
if the reference data is sent via postMessage from trustca.com to mybank.com's
control,
on mybank.com, the key reference is useless (already lost pointer to key
material).

>
>
> --
> http://annevankesteren.nl/
>

-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World

Received on Wednesday, 12 February 2014 14:30:07 UTC