Re: adding Access-Control-Allow-Local to CORS from Brad Hill on 2014-03-05 (public-webappsec@w3.org from March 2014)

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 4 Mar 2014 17:36:57 -0800
To: Mountie Lee <mountie@paygate.net>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAEeYn8i3kCYdPdjeXnqkk35fuD7pD-kf40g882qpFAuWrBMovA@mail.gmail.com>

I'm not sure how this would work. It wouldn't be an HTTP header. My guess
is that you'd have to change the API of every such mechanism to allow
setting allowed origins when an item is placed into local storage of some
sort.  Is that the suggestion?

On Tue, Mar 4, 2014 at 4:38 PM, Mountie Lee <mountie@paygate.net> wrote:

> Hi.
> let me propose "Access-Control-Allow-Local" to CORS.
>
> current CORS spec is defined for remote resources.
>
> but some local resources like localStorage, IndexedDB are bound to
> specific origin
> even by considering Web Messaging technology or cloning of objects,
> still I think we need additional control for local resources.
>
> my suggestion is
>
> Access-Control-Allow-Local: "Access-Control-Allow-Local" ":" (Resource
> Name)
>
> any comment?
>
> --
> Mountie Lee
>
> PayGate
> CTO, CISSP
> Tel : +82 2 2140 2700
> E-Mail : mountie@paygate.net
>
>  =======================================
> PayGate Inc.
> THE STANDARD FOR ONLINE PAYMENT
> for Korea, Japan, China, and the World
>
>
>

Received on Wednesday, 5 March 2014 01:37:27 UTC