Hello,
I would like to ask if it would be possible to add a mention of CORS
header [0] in 3.1. Key discovery [1] in OpenPGP Web Key Directory document.
I think it could be added somewhere below:
The server SHOULD use "application/octet-stream" as the Content-Type
for the data but clients SHOULD also accept any other Content-Type.
The server MUST NOT return an ASCII armored version of the key.
And the wording may be something like: "It is RECOMMENDED that the key
is returned with 'Access-Control-Allow-Origin' HTTP header set to value
'*'".
The context of this change is the following: without appropriate CORS
header JavaScript code running on one domain cannot access resources
hosted on different domains. There are web applications that would like
to fetch the key and encrypt data purely in the browser and send only
encrypted blobs to the backend thus minimizing attack surface somehow. [2]
OpenPGP.js today can do WKD lookups, but without CORS header set it
cannot fetch keys from any domain [3] thus making WKD not usable in the
browser [4].
One similar paragraph, recommending CORS header for
"/.well-known/host-meta" can be found in XMPP [5].
Thank you for your time!
Kind regards,
Wiktor
[0]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
[1]:
https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-07#section-3.1
[2]: One such site is https://pipefile.com
[3]: This was pointed out by Sanjana Rajan:
https://github.com/openpgpjs/openpgpjs/pull/714#issuecomment-392609354
[4]: Thomas Oberndörfer mentions that "For regular web pages, CORS
header would be beneficial":
https://github.com/mailvelope/mailvelope/issues/580#issuecomment-394690051
[5]: https://xmpp.org/extensions/xep-0156.html#impl
--
https://metacode.biz/@wiktor
signature.asc
Description: OpenPGP digital signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp