- From: T H Panton <thp@westhawk.co.uk>
- Date: Fri, 12 Jan 2018 12:56:15 +0000
- To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
- Cc: Iñaki Baz Castillo <ibc@aliax.net>, "public-webrtc@w3.org" <public-webrtc@w3.org>, Cullen Jennings <fluffy@iii.ca>
> On 12 Jan 2018, at 12:44, Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> wrote: > > On 12/01/2018 13:27, Iñaki Baz Castillo wrote: >> And as I already pointed out, my proposal above was just intended to >> make both, Full ICE and ICE Lite, equally safe. :) >> >> Leaking data via TURN credentials is a different subject (not less important). > > Ok, I agree with that, but as Tim said this will require changes on IETF stun. On reflection I think we should do both, lets make a sensible mention of webRTC in the CSP on the w3c side and make these ICE changes on the IETF side. > > Before going that route, it would be worthy to think if it makes sense at all to enable P2P communications (ice-lite or ice, dc or media) at all on a web page that has restricted the data origins/dests via CSP. > > A rule to disable webrtc if CSP is enabled would be enough for 99% of cases and trivial to implement as phase 0. I think that would cause a problem for video enrolment on banking sites, which is becoming pretty popular. A site should be able to use webRTC and have CSP - we want to at |pipe| - I'm pretty sure folks like skype and wire do too. > > Best regards > > Sergio >
Received on Friday, 12 January 2018 12:56:39 UTC