Re: webRTC and Content Security Policy connect-src from Sergio Garcia Murillo on 2018-01-12 (public-webrtc@w3.org from January 2018)

From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Date: Fri, 12 Jan 2018 19:36:11 +0100
To: T H Panton <thp@westhawk.co.uk>
Cc: Peter Thatcher <pthatcher@google.com>, Cullen Jennings <fluffy@iii.ca>, Iñaki Baz Castillo <ibc@aliax.net>, "public-webrtc@w3.org" <public-webrtc@w3.org>
Message-ID: <bfd2d128-02bf-9a19-635c-1251941119e2@gmail.com>

On 12/01/2018 19:22, T H Panton wrote:
> On 12 Jan 2018, at 18:17, Sergio Garcia Murillo 
> <sergio.garcia.murillo@gmail.com 
> <mailto:sergio.garcia.murillo@gmail.com>> wrote:
>>
>>   * remote candidates: any remote candidate passed to an PC (either
>>     on the setRemoteDescription or addIceCandidate) not maching an
>>     entry on the whitelist will be discarded
>>
> You've just disabled P2P in webrtc. Unless you get lucky and 
> peer-reflexive happens to work, which it won't if both sides have the 
> same CSP poilicy.
Exactly, but you can enable it back by adding "ice:*" if you understand 
the risks or not using CSP at all. Also, note that on your banking case, 
you can deliver different CSP headers to users and to the agents.

Regards
Sergio

Received on Friday, 12 January 2018 18:36:33 UTC