Re: CSP for WebRTC

This seems like a good thing to add to the next iteration. I'll file a bug
to make sure we remember to consider it:
https://www.w3.org/2011/webappsec/track/issues/67

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Tue, Sep 2, 2014 at 5:21 AM, Martin Thomson <martin.thomson@gmail.com>
wrote:

>
> On Sep 1, 2014 1:55 AM, "Anne van Kesteren" <annevk@annevk.nl> wrote:
> >
> > On Fri, Aug 29, 2014 at 1:29 AM, Martin Thomson
> > <martin.thomson@gmail.com> wrote:
> > > Unlike other sources of script-accessible data, peer-to-peer data is
> > > not associated with an origin, so I think that the only thing to do is
> > > to clump all WebRTC data into a single group and identify that group
> > > with a keyword source.
> >
> > Could you perhaps explain or provide a pointer that explains the
> security model?
>
> https://tools.ietf.org/html/draft-rtcweb-security should do it.
>
> > > Thus, I'd like to suggest a new keyword-source of 'webrtc-data',
> > > governing the use of WebRTC data channels. That leaves the option to
> > > block 'webrtc-media' in the future.  Alternatively, or in addition to
> > > that, a single keyword 'webrtc' might cover both, should that be
> > > desired.
> >
> > Should we tie the name to WebRTC or name this p2p/rtc in case other
> > protocols come along such as ORTC?
>
> ORTC is still going to be WebRTC. It is either 1.1 or 2.0, but the basic
> name is ok.
>