Re: [Bug 25809] Security issue: Abuse of "call me" URLs

On 28 August 2014 14:28, Martin Thomson <martin.thomson@gmail.com> wrote:
> The other suggestions, less so.  Enhancing CSP might be a good idea to
> cover this, rather than the sandboxing stuff.  I have CSP folks within
> spitting distance, so I'll ask.  The question of WebRTC as a whole is
> probably more interesting in this regard.

I had some discussions with the folks who look after CSP here.  The
feedback I got from them was that CSP is more designed to protect the
integrity of a site and less to protect users.  We concluded that
providing CSP directives that govern the use of user media wasn't
interesting enough to do.

However, we did identify an issue with WebRTC and CSP that I've
followed up on with the webappsec working group.

Received on Friday, 29 August 2014 18:03:52 UTC