W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: CORS for local resources

From: Mountie Lee <mountie@paygate.net>
Date: Wed, 12 Feb 2014 23:10:37 +0900
Message-ID: <CAE-+aYKOWNLppGPgsNgmchUPu13TzsS75wAO8Lzg_OwFh3YRHg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Feb 12, 2014 at 7:51 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Feb 12, 2014 at 12:05 AM, Mountie Lee <mountie@paygate.net> wrote:
> > I have some questions.
> > do we(these WebAppSec members) have discussed CORS for local resources?
> > Web Storage (IDB, LocalStorage...) or other origin specific resources are
> > bound to same origin.
> The storage areas are. The objects they store can be shared.

I think the Web Storages (localStorage, IDB and sessionStorage) can not be
shared with other domain by CORS.

> > I already reviewed postMessage or other cross-origin mechanisms. but
> those
> > are not the best.
> postMessage() is how you share JavaScript objects across origins. What
> is the problem?

if we have two domains (trustca.com , mybank.com),
the certificate key pair will be bound to trustca.com for certificate
the key reference(not key material which is not exportable normally) will
be exposed to web storage (ex: IDB) which is bound to trustca.com domain
when users first visit to mybank.com, no way to detect my keys in
trustca.com's web storage.
when users first visit to trustca.com, no way to share my keys with
mybank.com even via CORS. because web storage is in UA's local and the keys
are un-exportable.

this is my problem.

> --
> http://annevankesteren.nl/

Mountie Lee

Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

PayGate Inc.
for Korea, Japan, China, and the World
Received on Wednesday, 12 February 2014 14:11:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:37 UTC