> This sounds like the general solution that Chris was saying is more complex than what we would need to make use of user keys in trusted Desktop code. Am I reading that correctly?
Yup. I jumped straight to the general web case without considering Loop. Loop runs Firefox Accounts in an iframe from browser chrome, so the use case is conceptually similar to the lightbox flow and pretty straight forward. On Mon, Feb 2, 2015 at 5:59 PM, Christopher Karlof <[email protected]> wrote: > On Mon, Feb 2, 2015 at 8:44 AM, Adam Roach <[email protected]> wrote: > >> On 2/2/15 10:08, Shane Tomlinson wrote: >> >> My head is spinning, though I'm sure it'll become more clear as I >> re-read the threads. One comment from rfk's email [1] from December: >> >> > Chris also suggested that the encryption keys may not need to transit >> the server at all, but could instead be communicated from content-server to >> relier via a client-side postMessage API. I don't know much about >> postMessage but it sounds worth exploring. >> >> This is only possible if an iframe is involved somehow. Either the >> relier embeds the content server into its page (e.g., the lightbox >> flow[2]), or the relier embeds a hidden content server iframe in its page. >> >> >> This sounds like the general solution that Chris was saying is more >> complex than what we would need to make use of user keys in trusted Desktop >> code. Am I reading that correctly? >> >> > Yes. The way that we communicate with Loop is that the FxA page just fires > an event on it’s own page, which requires special (i.e., chrome) privilege > to receive. A more general solution that involves sending keys over > postMessage will require more security review, IMO. > > -chris > > > > > >> -- >> Adam Roach >> Principal Platform Engineer >> [email protected] >> +1 650 903 0800 x863 >> > >
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
