Re: CORS for local resources

On Wed, Feb 12, 2014 at 2:10 PM, Mountie Lee <mountie@paygate.net> wrote:
> On Wed, Feb 12, 2014 at 7:51 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> The storage areas are. The objects they store can be shared.
>
> I think the Web Storages (localStorage, IDB and sessionStorage) can not be
> shared with other domain by CORS.

CORS is a protocol over HTTP. So that statement does not even make sense.


>> postMessage() is how you share JavaScript objects across origins. What
>> is the problem?
>
> if we have two domains (trustca.com , mybank.com),
> the certificate key pair will be bound to trustca.com for certificate
> management
> the key reference(not key material which is not exportable normally) will be
> exposed to web storage (ex: IDB) which is bound to trustca.com domain
> when users first visit to mybank.com, no way to detect my keys in
> trustca.com's web storage.
> when users first visit to trustca.com, no way to share my keys with
> mybank.com even via CORS. because web storage is in UA's local and the keys
> are un-exportable.
>
> this is my problem.

This is not a very clear description. If trustca.com has access to its
storage, why would it not be able to share those objects in some
manner with mybank.com? If on trustca.com I store a string "x" in IDB,
I can certainly postMessage() that to mybank.com if it decides to
embed me or some such.


-- 
http://annevankesteren.nl/

Received on Wednesday, 12 February 2014 14:19:06 UTC