W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: CORS for local resources

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 12 Feb 2014 14:18:39 +0000
Message-ID: <CADnb78j=H10UjBeRR4-jiFxtGD95JNQkc4yJX1t-jg5SU9+dmQ@mail.gmail.com>
To: Mountie Lee <mountie@paygate.net>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Feb 12, 2014 at 2:10 PM, Mountie Lee <mountie@paygate.net> wrote:
> On Wed, Feb 12, 2014 at 7:51 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> The storage areas are. The objects they store can be shared.
>
> I think the Web Storages (localStorage, IDB and sessionStorage) can not be
> shared with other domain by CORS.

CORS is a protocol over HTTP. So that statement does not even make sense.


>> postMessage() is how you share JavaScript objects across origins. What
>> is the problem?
>
> if we have two domains (trustca.com , mybank.com),
> the certificate key pair will be bound to trustca.com for certificate
> management
> the key reference(not key material which is not exportable normally) will be
> exposed to web storage (ex: IDB) which is bound to trustca.com domain
> when users first visit to mybank.com, no way to detect my keys in
> trustca.com's web storage.
> when users first visit to trustca.com, no way to share my keys with
> mybank.com even via CORS. because web storage is in UA's local and the keys
> are un-exportable.
>
> this is my problem.

This is not a very clear description. If trustca.com has access to its
storage, why would it not be able to share those objects in some
manner with mybank.com? If on trustca.com I store a string "x" in IDB,
I can certainly postMessage() that to mybank.com if it decides to
embed me or some such.


-- 
http://annevankesteren.nl/
Received on Wednesday, 12 February 2014 14:19:06 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC