- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 17 Mar 2014 10:51:32 +0000
- To: Mountie Lee <mountie@paygate.net>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Mar 17, 2014 at 12:56 AM, Mountie Lee <mountie@paygate.net> wrote: > the requirement were initiated from discussion of Web Crypto WG. > in the WG, cryptography technologies are discussed and the most important > part of spec is the KEY(encryption key, decryption key....) for crypto > operations. > > the key is also bound to specific origin. > the key can be cloned/extracted and posted to different window of domain. And as I said earlier that's a bug. There's no reason to bind the Key object to a particular origin as far as I can tell. And CORS is not going to help you here, as I explained in detail. -- http://annevankesteren.nl/
Received on Monday, 17 March 2014 10:52:00 UTC