W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: adding Access-Control-Allow-Local to CORS

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 4 Mar 2014 17:36:57 -0800
Message-ID: <CAEeYn8i3kCYdPdjeXnqkk35fuD7pD-kf40g882qpFAuWrBMovA@mail.gmail.com>
To: Mountie Lee <mountie@paygate.net>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
I'm not sure how this would work. It wouldn't be an HTTP header. My guess
is that you'd have to change the API of every such mechanism to allow
setting allowed origins when an item is placed into local storage of some
sort.  Is that the suggestion?


On Tue, Mar 4, 2014 at 4:38 PM, Mountie Lee <mountie@paygate.net> wrote:

> Hi.
> let me propose "Access-Control-Allow-Local" to CORS.
>
> current CORS spec is defined for remote resources.
>
> but some local resources like localStorage, IndexedDB are bound to
> specific origin
> even by considering Web Messaging technology or cloning of objects,
> still I think we need additional control for local resources.
>
> my suggestion is
>
> Access-Control-Allow-Local: "Access-Control-Allow-Local" ":" (Resource
> Name)
>
> any comment?
>
> --
> Mountie Lee
>
> PayGate
> CTO, CISSP
> Tel : +82 2 2140 2700
> E-Mail : mountie@paygate.net
>
>  =======================================
> PayGate Inc.
> THE STANDARD FOR ONLINE PAYMENT
> for Korea, Japan, China, and the World
>
>
>
Received on Wednesday, 5 March 2014 01:37:27 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC