Re: [webrtc-extensions] Add a CSP check to RTCPeerConnection.constructor(). (#81) from Ian Denhardt via GitHub on 2021-06-30 (public-webrtc-logs@w3.org from June 2021)

From: Ian Denhardt via GitHub <sysbot+gh@w3.org>
Date: Wed, 30 Jun 2021 17:27:10 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-871594020-1625074028-sysbot+gh@w3.org>

> This is because of ability to service worker to override security headers and thus to escape from the sandbox.

Can you expand on this? I'm not deeply familiar with service workers, how might they do this?

There does appear to be a `worker-src` directive: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src

-- 
GitHub Notification of comment by zenhack
Please view or discuss this issue at https://github.com/w3c/webrtc-extensions/pull/81#issuecomment-871594020 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 30 June 2021 17:27:12 UTC