Re: [webrtc-extensions] Invalid TURN credentials: What function should fail? (#52) from Anne van Kesteren via GitHub on 2020-11-17 (public-webrtc-logs@w3.org from November 2020)

From: Anne van Kesteren via GitHub <sysbot+gh@w3.org>
Date: Tue, 17 Nov 2020 09:43:37 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-728811972-1605606216-sysbot+gh@w3.org>

There's multiple reasons to fail in the network layer rater than at the API:

* A generic network error used for various reasons gives less information to an attacker. Browsers can still expose more granular information in the developer console.
* A network error usually degrades more gracefully than an API starting to throw an exception it previously did not throw. There's less chance for the application to fall apart.
* Architecturally, using the network layer for security checks reduces the risk of new APIs forgetting about some of them.

Unknown schemes seem somewhat different though and it might well make sense to fail at the API boundary there to allow for feature testing.

-- 
GitHub Notification of comment by annevk
Please view or discuss this issue at https://github.com/w3c/webrtc-extensions/issues/52#issuecomment-728811972 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 17 November 2020 09:43:39 UTC