- From: Harald Alvestrand <harald@alvestrand.no>
- Date: Wed, 04 Feb 2015 13:13:27 +0100
- To: Göran Eriksson AP <goran.ap.eriksson@ericsson.com>, Martin Thomson <martin.thomson@gmail.com>
- CC: "public-webrtc@w3.org" <public-webrtc@w3.org>
On 02/04/2015 12:53 PM, Göran Eriksson AP wrote: > >> -----Original Message----- >> From: Martin Thomson [mailto:martin.thomson@gmail.com] >> Sent: den 4 februari 2015 07:21 >> To: Harald Alvestrand >> Cc: public-webrtc@w3.org >> Subject: Re: CSP/CORS (Re: ICE exposes 'real' local IP to javascript) >> >> I can't think of any application of CSP or CORS in this context. We already >> have consent mechanisms equivalent to CORS in the form of ICE. >> And CSP serves only as a voluntary reduction in capabilities on the part of a >> site. > [GAPE:] > Just to make it clear- this is not [intended] as a discussion about the ICE/consent mechanism. This is as far as I understand it, another matter; which tools do the well-behaved web site owners have available to have a defense-in-depth in case the web app is compromised, e.g. by content injection or simply poorly written? > > This is separate from the VPN-case, also of concern. > Thanks for clarifying your intent with mentioning these tools! Do they belong in the spec, or do they belong in supporting material - "how to write a secure WebRTC application"? (it's natural for me to think that it belongs in supporting material, given that I want the spec finished....)
Received on Wednesday, 4 February 2015 12:13:57 UTC