W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: CORS and local resources

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 8 May 2013 19:02:38 -0700
Message-ID: <CADnb78j7RQqpPa4X6PK1kUELDhXtAPzVgAXSAa2OVCZqDFdQVw@mail.gmail.com>
To: Mountie Lee <mountie@paygate.net>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, May 8, 2013 at 6:43 PM, Mountie Lee <mountie@paygate.net> wrote:
> WebCrypto API specification follow same-origin security policy for
> cryptography key.
>
> the cryptography key which will be symmetric or asymmetric key is currently
> origin-specific and stored in local indexDB of UA.
>
> but
>
> by considering UseCases of EU (eID..) or Korea (National Certificate)
> we need cross-origin operation.
>
> I think,
> if "Access-Control-Allow-Origin" header has the list of URLs,
> the origin-specific local keys can be shared on the URLs of CORS header.
> does it make sense?

Okay, so https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html#dfn-Key
is tied to an origin? That does not seem very well defined in the
specification apart from in some notes around the subject. In any
event, CORS is not going to help you sharing that key with other
origins. You need a different solution. E.g. a way to obtain a key
that's not tied to an origin.


--
http://annevankesteren.nl/
Received on Thursday, 9 May 2013 02:03:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC