Re: CORS and local resources from Mountie Lee on 2013-05-09 (public-webappsec@w3.org from May 2013)

From: Mountie Lee <mountie@paygate.net>
Date: Thu, 9 May 2013 10:43:05 +0900
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAE-+aYL=F=kpk2BxOGB3QjOh3oU2zHShWfHgq5r8D-fobRzKRA@mail.gmail.com>

in the WebCrypto WG,

WebCrypto API specification follow same-origin security policy for
cryptography key.

the cryptography key which will be symmetric or asymmetric key is currently
origin-specific and stored in local indexDB of UA.

but

by considering UseCases of EU (eID..) or Korea (National Certificate)
we need cross-origin operation.

I think,
if "Access-Control-Allow-Origin" header has the list of URLs,
the origin-specific local keys can be shared on the URLs of CORS header.
does it make sense?

regards
mountie.

On Thu, May 9, 2013 at 10:04 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, May 8, 2013 at 5:58 PM, Mountie Lee <mountie@paygate.net> wrote:
> > Hi.
> > currently CORS is for remote resources.
> >
> > can we expand CORS header for local resources (origin-specific local
> > resources)?
> >
> > if origin-A want resource-A can be used in origin-B,
> > origin-B can be added to CORS header.
> >
> > is this scenario acceptable?
>
> You'll have to elaborate a bit.
>
>
> --
> http://annevankesteren.nl/
>

-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World

Received on Thursday, 9 May 2013 01:43:52 UTC