W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: adding Access-Control-Allow-Local to CORS

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Mon, 17 Mar 2014 14:46:04 +0100
To: Mountie Lee <mountie@paygate.net>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <kbqdi99enqcp150lj0u5hvn55am2rk2k76@hive.bjoern.hoehrmann.de>
* Mountie Lee wrote:
>let me add more details the reason I suggested.
>
>as we know, some local resources are bound to specific origin.
>also we have possible solutions for cross-origin communications like CORS,
>postMessage, structured cloning and JSON.
>
>the requirement were initiated from discussion of Web Crypto WG.
>in the WG, cryptography technologies are discussed and the most important
>part of spec is the KEY(encryption key, decryption key....) for crypto
>operations.
>
>the key is also bound to specific origin.
>the key can be cloned/extracted and posted to different window of domain.
>
>but the key owner will lost key control after posting.
>
>my suggestion is to keep the resource control.

It would help if you describe a complete scenario that illustrates what
you are trying to accomplish, what problem needs solving. The only thing
that sounds like a problem description in your text above is that "the
key owner" loses control of a key after "posting" it somehow. It is very
unclear if and how that is a problem that needs fixing, and since CORS
is about being able to post the key, not maintaining control over it, it
is unclear how CORS is related. So if you could come up with perhaps a
use case description, we might be able to discuss the issue in detail.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Monday, 17 March 2014 13:46:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 17 March 2014 13:46:40 UTC