- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 8 May 2013 19:02:38 -0700
- To: Mountie Lee <mountie@paygate.net>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, May 8, 2013 at 6:43 PM, Mountie Lee <mountie@paygate.net> wrote: > WebCrypto API specification follow same-origin security policy for > cryptography key. > > the cryptography key which will be symmetric or asymmetric key is currently > origin-specific and stored in local indexDB of UA. > > but > > by considering UseCases of EU (eID..) or Korea (National Certificate) > we need cross-origin operation. > > I think, > if "Access-Control-Allow-Origin" header has the list of URLs, > the origin-specific local keys can be shared on the URLs of CORS header. > does it make sense? Okay, so https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html#dfn-Key is tied to an origin? That does not seem very well defined in the specification apart from in some notes around the subject. In any event, CORS is not going to help you sharing that key with other origins. You need a different solution. E.g. a way to obtain a key that's not tied to an origin. -- http://annevankesteren.nl/
Received on Thursday, 9 May 2013 02:03:08 UTC