- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 12 Feb 2014 14:18:39 +0000
- To: Mountie Lee <mountie@paygate.net>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Feb 12, 2014 at 2:10 PM, Mountie Lee <mountie@paygate.net> wrote: > On Wed, Feb 12, 2014 at 7:51 PM, Anne van Kesteren <annevk@annevk.nl> wrote: >> The storage areas are. The objects they store can be shared. > > I think the Web Storages (localStorage, IDB and sessionStorage) can not be > shared with other domain by CORS. CORS is a protocol over HTTP. So that statement does not even make sense. >> postMessage() is how you share JavaScript objects across origins. What >> is the problem? > > if we have two domains (trustca.com , mybank.com), > the certificate key pair will be bound to trustca.com for certificate > management > the key reference(not key material which is not exportable normally) will be > exposed to web storage (ex: IDB) which is bound to trustca.com domain > when users first visit to mybank.com, no way to detect my keys in > trustca.com's web storage. > when users first visit to trustca.com, no way to share my keys with > mybank.com even via CORS. because web storage is in UA's local and the keys > are un-exportable. > > this is my problem. This is not a very clear description. If trustca.com has access to its storage, why would it not be able to share those objects in some manner with mybank.com? If on trustca.com I store a string "x" in IDB, I can certainly postMessage() that to mybank.com if it decides to embed me or some such. -- http://annevankesteren.nl/
Received on Wednesday, 12 February 2014 14:19:06 UTC