<div dir="ltr">On Mon, Feb 2, 2015 at 10:36 AM, Shane Tomlinson <span dir="ltr"><<a href="mailto:stomlinson@mozilla.com" target="_blank">stomlinson@mozilla.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span class=""><span><div>> This sounds like the general solution that Chris was saying is more
complex than what we would need to make use of user keys in trusted
Desktop code. Am I reading that correctly?<br><br></div></span></span><span class="">Yup. I
jumped straight to the general web case without considering Loop. Loop
runs Firefox Accounts in an iframe from browser chrome, so the use case
is conceptually similar to the lightbox flow and pretty straight
forward.</span><div><div></div></div></div></blockquote><div><br></div><div><br></div><div>Loop delegates login to FxA using the “WebChannel” abstraction, which opens up a tab to <a href="http://accounts.firefox.com">accounts.firefox.com</a> and listens to custom events fired on that tab.</div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><img src="https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif"></div></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 2, 2015 at 5:59 PM, Christopher Karlof <span dir="ltr"><<a href="mailto:ckarlof@mozilla.com" target="_blank">ckarlof@mozilla.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>On Mon, Feb 2, 2015 at 8:44 AM, Adam Roach <span dir="ltr"><<a href="mailto:abr@mozilla.com" target="_blank">abr@mozilla.com</a>></span> wrote:<br></div></div><div class="gmail_extra"><div class="gmail_quote"><div><div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span>
<div>On 2/2/15 10:08, Shane Tomlinson wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>My head is spinning, though I'm sure it'll become more
clear as I re-read the threads. One comment from rfk's email
[1] from December:<br>
<br>
> Chris also suggested that the encryption keys may not
need to transit the server at all, but could instead be
communicated from content-server to relier via a client-side
postMessage API. I don't know much about postMessage but it
sounds worth exploring.<br>
<br>
</div>
This is only possible if an iframe is involved somehow. Either
the relier embeds the content server into its page (e.g., the
lightbox flow[2]), or the relier embeds a hidden content server
iframe in its page.</div>
</blockquote>
<br></span>
This sounds like the general solution that Chris was saying is more
complex than what we would need to make use of user keys in trusted
Desktop code. Am I reading that correctly?<span><br>
<br></span></div></blockquote><div><br></div></div></div><div>Yes. The way that we communicate with Loop is that the FxA page just fires an event on it’s own page, which requires special (i.e., chrome) privilege to receive. A more general solution that involves sending keys over postMessage will require more security review, IMO. </div><div><br></div><div>-chris</div><span><div><br></div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF"><span>
<div>-- <br>
<div style="font-family:sans-serif"> <span>Adam Roach</span><br>
<span style="font-size:12">Principal Platform Engineer</span><br>
<span style="font-size:12"><a href="mailto:abr@mozilla.com" target="_blank">abr@mozilla.com</a></span><br>
<span style="font-size:12"><a href="tel:%2B1%20650%20903%200800%20x863" value="+16509030800" target="_blank">+1 650 903 0800 x863</a></span><br>
</div>
</div>
</span></div>
</blockquote></span></div><br></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div></div>