W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: CORS for local resources

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 12 Feb 2014 14:51:19 +0000
Message-ID: <CADnb78jU+2iBk0joCG8c87skKroj+gFDOM+Xts82RDYcJkWJrw@mail.gmail.com>
To: Mountie Lee <mountie@paygate.net>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Feb 12, 2014 at 2:42 PM, Mountie Lee <mountie@paygate.net> wrote:
> On Wed, Feb 12, 2014 at 11:33 PM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
>> Surely that can be fixed by providing explicit structured clone
>> support for this object.
>
> under the same domain, structured clone is ok.
> but under the cross-origin conditions, I'm not sure.

It should work. There is no reason for Key objects to be origin-bound
and as far as I can tell they are not. The security around messaging
structured clones is based on the object-capability model and not
origins.


-- 
http://annevankesteren.nl/
Received on Wednesday, 12 February 2014 14:51:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC