Re: Follow-up. Re: Use case: Authenticate using eID

Le 13/05/2013 22:43, Ryan Sleevi a écrit :
>>> >>Any client-side storage mechanism can be invoked by colluding origins for
>>> >>different purposes, but the difference is that you don't get HTTP behavior
>>> >>or XHR in withCredentials mode (but you knew that).  If they aren't in
>>> >>collusion, then it's likely to be a hack.
>> >
>> >
>> >In another email, you wrote "2. The key can be shared with origin 2 via
>> >cross-origin messaging."
>> >(, I
>> >don't see how CORS could apply here, withCredentials or not, CORS is only
>> >about sending/receiving things to/from other origins and sharing some
>> >stringyfiable things or cookies uses, you can not share keys, the best you
>> >can do is to send some information to allow another origin to find the keys.
>> >
>> >Maybe I am missing something but what is the idea here?
> Cross-origin messaging != CORS
> Cross-origin messaging = postMessage, which takes structured clonable
> objects (eg: including keys)

Yes, that's exactly my other examples, just misread and mixed it 
following Arun's answer about XHR and recurrent mentions to CORS in this 


Email :
iAnonym :
node-Tor :
GitHub :
Web :
Webble :
Extract Widget Mobile :
BlimpMe! :

Received on Monday, 13 May 2013 20:59:36 UTC