Re: CORS for local resources

On Wed, Feb 12, 2014 at 7:51 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Feb 12, 2014 at 12:05 AM, Mountie Lee <mountie@paygate.net> wrote:
> > I have some questions.
> > do we(these WebAppSec members) have discussed CORS for local resources?
> > Web Storage (IDB, LocalStorage...) or other origin specific resources are
> > bound to same origin.
>
> The storage areas are. The objects they store can be shared.
>

I think the Web Storages (localStorage, IDB and sessionStorage) can not be
shared with other domain by CORS.
http://stackoverflow.com/questions/20190114/does-cors-affects-localstorage


>
>
> > I already reviewed postMessage or other cross-origin mechanisms. but
> those
> > are not the best.
>
> postMessage() is how you share JavaScript objects across origins. What
> is the problem?
>

if we have two domains (trustca.com , mybank.com),
the certificate key pair will be bound to trustca.com for certificate
management
the key reference(not key material which is not exportable normally) will
be exposed to web storage (ex: IDB) which is bound to trustca.com domain
when users first visit to mybank.com, no way to detect my keys in
trustca.com's web storage.
when users first visit to trustca.com, no way to share my keys with
mybank.com even via CORS. because web storage is in UA's local and the keys
are un-exportable.

this is my problem.


>
> --
> http://annevankesteren.nl/
>



-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World

Received on Wednesday, 12 February 2014 14:11:31 UTC