Re: CORS for local resources from Mountie Lee on 2014-02-12 (public-webappsec@w3.org from February 2014)

From: Mountie Lee <mountie@paygate.net>
Date: Wed, 12 Feb 2014 23:42:23 +0900
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAE-+aYLscWROLjK8Y2HzaYk=tfPWGL-V-Yk6xsy56iGddEorCw@mail.gmail.com>

On Wed, Feb 12, 2014 at 11:33 PM, Anne van Kesteren <annevk@annevk.nl>wrote:

> On Wed, Feb 12, 2014 at 2:29 PM, Mountie Lee <mountie@paygate.net> wrote:
> > On Wed, Feb 12, 2014 at 11:18 PM, Anne van Kesteren <annevk@annevk.nl>
> > wrote:
> >> CORS is a protocol over HTTP. So that statement does not even make
> sense.
> >
> > current CORS protocol is applicable for remote resources not for local
> > resources.
> > my question is "is there any idea accessing local resources of domain-B
> by
> > setting CORS header from domain-A?"
>
> If by "local resource" you mean IDB (which you indicated) there would
> not be any HTTP involved and therefore CORS (being an HTTP protocol)
> would not apply.
>

understood


>
>
> >> This is not a very clear description. If trustca.com has access to its
> >> storage, why would it not be able to share those objects in some
> >> manner with mybank.com? If on trustca.com I store a string "x" in IDB,
> >> I can certainly postMessage() that to mybank.com if it decides to
> >> embed me or some such.
> >
> > the key is very sensitive data.
> > normally it will be un-exportable.
>
> What does that mean? Can you hold a reference to it in JavaScript?
>

http://www.w3.org/TR/WebCryptoAPI/#dfn-Key-extractable
this spec defines key can be extractable or not.
if application set the key as un-extractable, we can not send it via
postMessage().


>
>
> > in the storage, only an reference (pointer to key material which is
> managed
> > by UA and bound to specific domain) is exposed.
> > if the reference data is sent via postMessage from trustca.com to
> > mybank.com's control,
> > on mybank.com, the key reference is useless (already lost pointer to key
> > material).
>
> Surely that can be fixed by providing explicit structured clone
> support for this object.
>

under the same domain, structured clone is ok.
but under the cross-origin conditions, I'm not sure.


>
>
> --
> http://annevankesteren.nl/
>



-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World

Received on Wednesday, 12 February 2014 14:43:08 UTC