W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: CORS and local resources

From: Mountie Lee <mountie@paygate.net>
Date: Thu, 9 May 2013 11:19:03 +0900
Message-ID: <CAE-+aYLNS62EXpXz=MbsyZRMAdDkZ1SFK8JkZ2bWEmy0x25tPQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi.
thanks.
I think cross-origin key sharing will be discussed in WebCrypto WG more.

my question for WebAppSec is
does the Resource of CORS stands for remote Resource only?
can the local resources (not just for cryptography key) be in scope of CORS?

regards
mountie.


On Thu, May 9, 2013 at 11:02 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, May 8, 2013 at 6:43 PM, Mountie Lee <mountie@paygate.net> wrote:
> > WebCrypto API specification follow same-origin security policy for
> > cryptography key.
> >
> > the cryptography key which will be symmetric or asymmetric key is
> currently
> > origin-specific and stored in local indexDB of UA.
> >
> > but
> >
> > by considering UseCases of EU (eID..) or Korea (National Certificate)
> > we need cross-origin operation.
> >
> > I think,
> > if "Access-Control-Allow-Origin" header has the list of URLs,
> > the origin-specific local keys can be shared on the URLs of CORS header.
> > does it make sense?
>
> Okay, so
> https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html#dfn-Key
> is tied to an origin? That does not seem very well defined in the
> specification apart from in some notes around the subject. In any
> event, CORS is not going to help you sharing that key with other
> origins. You need a different solution. E.g. a way to obtain a key
> that's not tied to an origin.
>
>
> --
> http://annevankesteren.nl/
>



-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World
Received on Thursday, 9 May 2013 02:19:47 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC