Re: adding Access-Control-Allow-Local to CORS

On Mon, Mar 17, 2014 at 12:56 AM, Mountie Lee <mountie@paygate.net> wrote:
> the requirement were initiated from discussion of Web Crypto WG.
> in the WG, cryptography technologies are discussed and the most important
> part of spec is the KEY(encryption key, decryption key....) for crypto
> operations.
>
> the key is also bound to specific origin.
> the key can be cloned/extracted and posted to different window of domain.

And as I said earlier that's a bug. There's no reason to bind the Key
object to a particular origin as far as I can tell. And CORS is not
going to help you here, as I explained in detail.


-- 
http://annevankesteren.nl/

Received on Monday, 17 March 2014 10:52:00 UTC