Re: CORS for local resources

On Wed, Feb 12, 2014 at 7:51 PM, Anne van Kesteren <> wrote:

> On Wed, Feb 12, 2014 at 12:05 AM, Mountie Lee <> wrote:
> > I have some questions.
> > do we(these WebAppSec members) have discussed CORS for local resources?
> > Web Storage (IDB, LocalStorage...) or other origin specific resources are
> > bound to same origin.
> The storage areas are. The objects they store can be shared.

I think the Web Storages (localStorage, IDB and sessionStorage) can not be
shared with other domain by CORS.

> > I already reviewed postMessage or other cross-origin mechanisms. but
> those
> > are not the best.
> postMessage() is how you share JavaScript objects across origins. What
> is the problem?

if we have two domains ( ,,
the certificate key pair will be bound to for certificate
the key reference(not key material which is not exportable normally) will
be exposed to web storage (ex: IDB) which is bound to domain
when users first visit to, no way to detect my keys in's web storage.
when users first visit to, no way to share my keys with even via CORS. because web storage is in UA's local and the keys
are un-exportable.

this is my problem.

> --

Mountie Lee

Tel : +82 2 2140 2700
E-Mail :

PayGate Inc.
for Korea, Japan, China, and the World

Received on Wednesday, 12 February 2014 14:11:31 UTC