W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: CORS for local resources

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 12 Feb 2014 14:33:43 +0000
Message-ID: <CADnb78h1Y73d9_5iHLMDFOekFUbsb-ObrDY+7nL5=UeJ92hp1w@mail.gmail.com>
To: Mountie Lee <mountie@paygate.net>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Feb 12, 2014 at 2:29 PM, Mountie Lee <mountie@paygate.net> wrote:
> On Wed, Feb 12, 2014 at 11:18 PM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
>> CORS is a protocol over HTTP. So that statement does not even make sense.
>
> current CORS protocol is applicable for remote resources not for local
> resources.
> my question is "is there any idea accessing local resources of domain-B by
> setting CORS header from domain-A?"

If by "local resource" you mean IDB (which you indicated) there would
not be any HTTP involved and therefore CORS (being an HTTP protocol)
would not apply.


>> This is not a very clear description. If trustca.com has access to its
>> storage, why would it not be able to share those objects in some
>> manner with mybank.com? If on trustca.com I store a string "x" in IDB,
>> I can certainly postMessage() that to mybank.com if it decides to
>> embed me or some such.
>
> the key is very sensitive data.
> normally it will be un-exportable.

What does that mean? Can you hold a reference to it in JavaScript?


> in the storage, only an reference (pointer to key material which is managed
> by UA and bound to specific domain) is exposed.
> if the reference data is sent via postMessage from trustca.com to
> mybank.com's control,
> on mybank.com, the key reference is useless (already lost pointer to key
> material).

Surely that can be fixed by providing explicit structured clone
support for this object.


-- 
http://annevankesteren.nl/
Received on Wednesday, 12 February 2014 14:34:14 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC