W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: adding Access-Control-Allow-Local to CORS

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 17 Mar 2014 10:51:32 +0000
Message-ID: <CADnb78g4G9XCM_RB0ok-=VxNDvBek7u4ZDXeV_Y_zYJyEvBVTg@mail.gmail.com>
To: Mountie Lee <mountie@paygate.net>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Mar 17, 2014 at 12:56 AM, Mountie Lee <mountie@paygate.net> wrote:
> the requirement were initiated from discussion of Web Crypto WG.
> in the WG, cryptography technologies are discussed and the most important
> part of spec is the KEY(encryption key, decryption key....) for crypto
> operations.
>
> the key is also bound to specific origin.
> the key can be cloned/extracted and posted to different window of domain.

And as I said earlier that's a bug. There's no reason to bind the Key
object to a particular origin as far as I can tell. And CORS is not
going to help you here, as I explained in detail.


-- 
http://annevankesteren.nl/
Received on Monday, 17 March 2014 10:52:00 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC