W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: adding Access-Control-Allow-Local to CORS

From: Mountie Lee <mountie@paygate.net>
Date: Mon, 17 Mar 2014 09:56:34 +0900
Message-ID: <CAE-+aY+dxPFSgkAR2v-ymRp6W1dtwrH9jfeim0vm6BAb5zqhzw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
let me add more details the reason I suggested.

as we know, some local resources are bound to specific origin.
also we have possible solutions for cross-origin communications like CORS,
postMessage, structured cloning and JSON.

the requirement were initiated from discussion of Web Crypto WG.
in the WG, cryptography technologies are discussed and the most important
part of spec is the KEY(encryption key, decryption key....) for crypto

the key is also bound to specific origin.
the key can be cloned/extracted and posted to different window of domain.

but the key owner will lost key control after posting.

my suggestion is to keep the resource control.


On Sun, Mar 16, 2014 at 3:24 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Mar 5, 2014 at 12:38 AM, Mountie Lee <mountie@paygate.net> wrote:
> > Hi. let me propose "Access-Control-Allow-Local" to CORS.
> Again, it's not clear how this makes sense. You'd have more
> creditability if you actually followed up to the previous email thread
> you started on the matter:
> http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/thread.html#msg33
> --
> http://annevankesteren.nl/

Mountie Lee

Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

PayGate Inc.
for Korea, Japan, China, and the World
Received on Monday, 17 March 2014 00:57:19 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:37 UTC