- From: Ryan Sleevi <sleevi@google.com>
- Date: Wed, 22 Aug 2012 13:51:01 -0700
- To: David Dahl <ddahl@mozilla.com>
- Cc: Web Cryptography Working Group <public-webcrypto@w3.org>
On Wed, Aug 22, 2012 at 1:07 PM, David Dahl <ddahl@mozilla.com> wrote: > I think at first the single-origin concept for this API was short-sighted as we will not have the ability to build decentralized, non-walled-garden applications. Between Web Intents and OpenID Connect, do you think this is still the case? > > On the question of whether an approved-origin for a specific key can approve further origins: This operation is perhaps better and more securely handled by the browser implementation. I can imagine an implementation prompting the user for approval when an attempt to use a key is initiated x-domain for the first time, with the browser updating the key origin access list with "remember this choice" checked, etc... Do you think users will be able to understand these? What about the security implications of an XSS vulnerability allowing an attacker to grant access to evilsite.com from goodsite.com. Combined with homoglyph attacks (such that it's g00dsite.com), can users be reasonably expected to make good or informed security decisions? I know CSP mitigates some of the XSS, but it's not a perfect solution, I don't think. Just like Global Storage was deprecated, due to security concerns AIUI, I think I'd have a lot of concerns with opening another inter-origin communication method - both for evil sites colluding and for good sites getting owned. > > Cheers, > > David > > ----- Original Message ----- >> From: "Web Cryptography Working Group Issue Tracker" <sysbot+tracker@w3.org> >> To: public-webcrypto@w3.org >> Sent: Wednesday, August 22, 2012 2:43:00 PM >> Subject: crypto-ISSUE-26 (multi-origin access): Should key generation be allowed to specify multi-origin shared >> access [Web Cryptography API] >> >> crypto-ISSUE-26 (multi-origin access): Should key generation be >> allowed to specify multi-origin shared access [Web Cryptography API] >> >> http://www.w3.org/2012/webcrypto/track/issues/26 >> >> Raised by: Ryan Sleevi >> On product: Web Cryptography API >> >> The charter defines as "out of scope" as "access-control mechanisms >> beyond the enforcement of the same-origin policy" >> >> However, it was initially proposed by David Dahl, that during key >> generation, an application may be permitted to specify alternative >> origins be allowed to access the same key material. For example, it >> might include a DOMString[] of authorized origins, for which, if the >> key is generated, they're permitted to access. >> >> Additionally, there's outstanding question as to whether an origin, >> with access to a key, may be able to grant access to other origins >> proactively. >> >> >> >> >> >
Received on Wednesday, 22 August 2012 20:51:29 UTC