[cap-talk] Fwd: [cors] TAG request ...
David-Sarah Hopwood
david-sarah at jacaranda.org
Thu Jun 25 14:18:39 EDT 2009
Toby Murray wrote:
> On Thu, 2009-06-25 at 09:53 -0700, David Wagner wrote:
>> Have you read about Tyler's webkeys?
>
> I don't see how webkeys solve the problem.
>
> Let me make this more concrete. Suppose I'm writing this mashup that's
> hosted on Site A. It's writetn in JavaScript and uses webkeys. So in my
> JavaScript code I have some object references which are really proxies
> to webkeys for resources on Site B. Is there a facility in the webkeys
> implementation for preventing the user's browser from retaining the
> unguessable URIs (contained within the proxy objects that the JavaScript
> it is running has access to) that refer to the resources on Site B?
>
> It would appear that one would need to trust the JavaScript
> implementation in the user's browser, at a minimum, in order to prevent
> the webkeys from being able to leak to the user. Even so, presumably
> some kind of Caja-like system is also needed to prevent the user
> enumerating the URI properties of the webkey objects.
Why is preventing the URIs from "leaking" to the user a requirement?
I can see the point of minimizing the chance that a user will
unintentionally delegate a wekey; that was discussed in a previous
cap-talk thread. I don't see the point of preventing the user from
obtaining the webkey (if it were possible to prevent that, which it
isn't).
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
More information about the cap-talk
mailing list