- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 12 Feb 2014 14:33:43 +0000
- To: Mountie Lee <mountie@paygate.net>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Feb 12, 2014 at 2:29 PM, Mountie Lee <mountie@paygate.net> wrote: > On Wed, Feb 12, 2014 at 11:18 PM, Anne van Kesteren <annevk@annevk.nl> > wrote: >> CORS is a protocol over HTTP. So that statement does not even make sense. > > current CORS protocol is applicable for remote resources not for local > resources. > my question is "is there any idea accessing local resources of domain-B by > setting CORS header from domain-A?" If by "local resource" you mean IDB (which you indicated) there would not be any HTTP involved and therefore CORS (being an HTTP protocol) would not apply. >> This is not a very clear description. If trustca.com has access to its >> storage, why would it not be able to share those objects in some >> manner with mybank.com? If on trustca.com I store a string "x" in IDB, >> I can certainly postMessage() that to mybank.com if it decides to >> embed me or some such. > > the key is very sensitive data. > normally it will be un-exportable. What does that mean? Can you hold a reference to it in JavaScript? > in the storage, only an reference (pointer to key material which is managed > by UA and bound to specific domain) is exposed. > if the reference data is sent via postMessage from trustca.com to > mybank.com's control, > on mybank.com, the key reference is useless (already lost pointer to key > material). Surely that can be fixed by providing explicit structured clone support for this object. -- http://annevankesteren.nl/
Received on Wednesday, 12 February 2014 14:34:14 UTC