- From: <bugzilla@jessica.w3.org>
- Date: Fri, 09 May 2014 00:26:20 +0000
- To: public-webcrypto@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25620 Bug ID: 25620 Summary: Provide informative text regarding the origin-based security model of the API Product: Web Cryptography Version: unspecified Hardware: PC OS: All Status: NEW Severity: normal Priority: P2 Component: Web Cryptography API Document Assignee: sleevi@google.com Reporter: sleevi@google.com CC: domenic@domenicdenicola.com, public-webcrypto@w3.org, rsalz@akamai.com Raised by the W3C TAG review ( https://github.com/w3ctag/spec-reviews/issues/3#issuecomment-41521737 ), and also by Rich Salz via Twitter, the spec is insufficiently clear that it relies upon the same-origin security model. In particular, the spec lacks any notion of Key storage/persistence, so implicitly all Keys are restricted to the current browsing context. However, because Keys are structured clonable, they are permitted to be used with storage APIs (like Indexed DB), which are origin-restricted, or allowed to be used with explicit inter-origin messaging APIs, such as postMessage. Explaining this concept is important for explaining the security model of Keys, where they come from, and how they are used. -- You are receiving this mail because: You are on the CC list for the bug.
Received on Friday, 9 May 2014 00:26:21 UTC