CORS for local resources

Hi.

I have some questions.
do we(these WebAppSec members) have discussed CORS for local resources?
Web Storage (IDB, LocalStorage...) or other origin specific resources are
bound to same origin.

in the WebCryptoWG, they are starting to touch certificate issues.
one of the problem occurred is Same-Origin-Policy.
current API design idea is that the cryptography keys are bound to same
origin.
but the keys are escalated to certificate level, SOP has conflict with
existing user experience of TLS client certificate.

common use cases with certificate are as following.
1. user generate keypair on site-A
2. user send certificate signing request via PKCS#10 or CMP mechanism to
CA(site-B) on CA(site-B) ==> first conflict (can not generate CSR on site-B
because of SOP)
3. anyway after installing certificate to UA, user visit site-C and send
signature to site-C ==> second conflict (can not approach to certificate
keypair which was generate on site-A or get certificate from site-B)

I already reviewed postMessage or other cross-origin mechanisms. but those
are not the best.

any comment?

-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World