Re: CSP for WebRTC from Martin Thomson on 2014-09-06 (public-webappsec@w3.org from September 2014)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 5 Sep 2014 22:12:36 -0700
To: Mike West <mkwst@google.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CABkgnnXav95aarj_WPShtdVMV2bsU5RHOsiWvj2VVceEKpb=WQ@mail.gmail.com>

On 3 September 2014 06:32, Mike West <mkwst@google.com> wrote:
> This seems like a good thing to add to the next iteration. I'll file a bug
> to make sure we remember to consider it:
> https://www.w3.org/2011/webappsec/track/issues/67

And here is a follow-up request.

We have some folks working on getting their CSP right for a WebRTC
application and the discussion turned to 'media-src'.  Our initial
take on that was that we didn't think it was particularly interesting
from a site integrity perspective, but this comment suggests that
maybe it's a good idea to provide protection anyway:
https://bugzilla.mozilla.org/show_bug.cgi?id=1017257#c21

That suggests two new keyword-source values for media-src: 'webrtc'
and 'user[-]media'.

Received on Saturday, 6 September 2014 05:13:04 UTC