Re: CORS for local resources

On Wed, Feb 12, 2014 at 2:29 PM, Mountie Lee <mountie@paygate.net> wrote:
> On Wed, Feb 12, 2014 at 11:18 PM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
>> CORS is a protocol over HTTP. So that statement does not even make sense.
>
> current CORS protocol is applicable for remote resources not for local
> resources.
> my question is "is there any idea accessing local resources of domain-B by
> setting CORS header from domain-A?"

If by "local resource" you mean IDB (which you indicated) there would
not be any HTTP involved and therefore CORS (being an HTTP protocol)
would not apply.


>> This is not a very clear description. If trustca.com has access to its
>> storage, why would it not be able to share those objects in some
>> manner with mybank.com? If on trustca.com I store a string "x" in IDB,
>> I can certainly postMessage() that to mybank.com if it decides to
>> embed me or some such.
>
> the key is very sensitive data.
> normally it will be un-exportable.

What does that mean? Can you hold a reference to it in JavaScript?


> in the storage, only an reference (pointer to key material which is managed
> by UA and bound to specific domain) is exposed.
> if the reference data is sent via postMessage from trustca.com to
> mybank.com's control,
> on mybank.com, the key reference is useless (already lost pointer to key
> material).

Surely that can be fixed by providing explicit structured clone
support for this object.


-- 
http://annevankesteren.nl/

Received on Wednesday, 12 February 2014 14:34:14 UTC