25620 – Provide informative text regarding the origin-based security model of the API

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 25620 - Provide informative text regarding the origin-based security model of the API

Summary: Provide informative text regarding the origin-based security model of the API

Status:	RESOLVED FIXED

Alias:	None

Product:	Web Cryptography
Classification:	Unclassified
Component:	Web Cryptography API Document (show other bugs)
Version:	unspecified
Hardware:	PC All

Importance:	P2 normal
Target Milestone:	---
Assignee:	Ryan Sleevi
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-05-09 00:26 UTC by Ryan Sleevi
Modified:	2014-06-16 23:20 UTC (History)
CC List:	3 users (show)

See Also:

Attachments

Description Ryan Sleevi 2014-05-09 00:26:20 UTC

Raised by the W3C TAG review ( https://github.com/w3ctag/spec-reviews/issues/3#issuecomment-41521737 ), and also by Rich Salz via Twitter, the spec is insufficiently clear that it relies upon the same-origin security model.

In particular, the spec lacks any notion of Key storage/persistence, so implicitly all Keys are restricted to the current browsing context. However, because Keys are structured clonable, they are permitted to be used with storage APIs (like Indexed DB), which are origin-restricted, or allowed to be used with explicit inter-origin messaging APIs, such as postMessage.

Explaining this concept is important for explaining the security model of Keys, where they come from, and how they are used.

Comment 1 Ryan Sleevi 2014-06-16 23:20:02 UTC

https://dvcs.w3.org/hg/webcrypto-api/rev/7a79e816e31b