On Mon, Feb 2, 2015 at 10:36 AM, Shane Tomlinson <[email protected]> wrote:
> > This sounds like the general solution that Chris was saying is more > complex than what we would need to make use of user keys in trusted Desktop > code. Am I reading that correctly? > > Yup. I jumped straight to the general web case without considering Loop. > Loop runs Firefox Accounts in an iframe from browser chrome, so the use > case is conceptually similar to the lightbox flow and pretty straight > forward. > Loop delegates login to FxA using the “WebChannel” abstraction, which opens up a tab to accounts.firefox.com and listens to custom events fired on that tab. > > On Mon, Feb 2, 2015 at 5:59 PM, Christopher Karlof <[email protected]> > wrote: > >> On Mon, Feb 2, 2015 at 8:44 AM, Adam Roach <[email protected]> wrote: >> >>> On 2/2/15 10:08, Shane Tomlinson wrote: >>> >>> My head is spinning, though I'm sure it'll become more clear as I >>> re-read the threads. One comment from rfk's email [1] from December: >>> >>> > Chris also suggested that the encryption keys may not need to transit >>> the server at all, but could instead be communicated from content-server to >>> relier via a client-side postMessage API. I don't know much about >>> postMessage but it sounds worth exploring. >>> >>> This is only possible if an iframe is involved somehow. Either the >>> relier embeds the content server into its page (e.g., the lightbox >>> flow[2]), or the relier embeds a hidden content server iframe in its page. >>> >>> >>> This sounds like the general solution that Chris was saying is more >>> complex than what we would need to make use of user keys in trusted Desktop >>> code. Am I reading that correctly? >>> >>> >> Yes. The way that we communicate with Loop is that the FxA page just >> fires an event on it’s own page, which requires special (i.e., chrome) >> privilege to receive. A more general solution that involves sending keys >> over postMessage will require more security review, IMO. >> >> -chris >> >> >> >> >> >>> -- >>> Adam Roach >>> Principal Platform Engineer >>> [email protected] >>> +1 650 903 0800 x863 >>> >> >> >
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
