On Mon, Feb 2, 2015 at 8:44 AM, Adam Roach <[email protected]> wrote: > On 2/2/15 10:08, Shane Tomlinson wrote: > > My head is spinning, though I'm sure it'll become more clear as I > re-read the threads. One comment from rfk's email [1] from December: > > > Chris also suggested that the encryption keys may not need to transit > the server at all, but could instead be communicated from content-server to > relier via a client-side postMessage API. I don't know much about > postMessage but it sounds worth exploring. > > This is only possible if an iframe is involved somehow. Either the relier > embeds the content server into its page (e.g., the lightbox flow[2]), or > the relier embeds a hidden content server iframe in its page. > > > This sounds like the general solution that Chris was saying is more > complex than what we would need to make use of user keys in trusted Desktop > code. Am I reading that correctly? > > Yes. The way that we communicate with Loop is that the FxA page just fires an event on it’s own page, which requires special (i.e., chrome) privilege to receive. A more general solution that involves sending keys over postMessage will require more security review, IMO.
-chris > -- > Adam Roach > Principal Platform Engineer > [email protected] > +1 650 903 0800 x863 >
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
