Re: [webrtc-extensions] Add a CSP check to RTCPeerConnection.constructor(). (#81) from Paul Rumkin via GitHub on 2021-06-30 (public-webrtc-logs@w3.org from June 2021)

From: Paul Rumkin via GitHub <sysbot+gh@w3.org>
Date: Wed, 30 Jun 2021 17:37:23 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-871600441-1625074641-sysbot+gh@w3.org>

Service worker allows you to intercept requests to server and reply with a newly created Response from the browser itself (see [FetchEvent](https://developer.mozilla.org/en-US/docs/Web/API/FetchEvent)). New response object is instance of [Response](https://developer.mozilla.org/en-US/docs/Web/API/Response) and thus can contain CSP header. What allows it to override current CSP policy. So having third-party service worker is not safe even with restrictive CSP.

-- 
GitHub Notification of comment by rumkin
Please view or discuss this issue at https://github.com/w3c/webrtc-extensions/pull/81#issuecomment-871600441 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 30 June 2021 17:37:24 UTC