[Bug 25620] New: Provide informative text regarding the origin-based security model of the API from bugzilla@jessica.w3.org on 2014-05-09 (public-webcrypto@w3.org from May 2014)

From: <bugzilla@jessica.w3.org>
Date: Fri, 09 May 2014 00:26:20 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25620-7213@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25620

            Bug ID: 25620
           Summary: Provide informative text regarding the origin-based
                    security model of the API
           Product: Web Cryptography
           Version: unspecified
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Web Cryptography API Document
          Assignee: sleevi@google.com
          Reporter: sleevi@google.com
                CC: domenic@domenicdenicola.com, public-webcrypto@w3.org,
                    rsalz@akamai.com

Raised by the W3C TAG review (
https://github.com/w3ctag/spec-reviews/issues/3#issuecomment-41521737 ), and
also by Rich Salz via Twitter, the spec is insufficiently clear that it relies
upon the same-origin security model.

In particular, the spec lacks any notion of Key storage/persistence, so
implicitly all Keys are restricted to the current browsing context. However,
because Keys are structured clonable, they are permitted to be used with
storage APIs (like Indexed DB), which are origin-restricted, or allowed to be
used with explicit inter-origin messaging APIs, such as postMessage.

Explaining this concept is important for explaining the security model of Keys,
where they come from, and how they are used.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Friday, 9 May 2014 00:26:21 UTC