W3C home > Mailing lists > Public > public-webrtc@w3.org > August 2015

Re: Sandboxing usage of RTCPeerConnection?

From: Dominique Hazael-Massieux <dom@w3.org>
Date: Mon, 17 Aug 2015 15:10:16 +0200
Message-ID: <55D1DD38.9000100@w3.org>
To: Eric Rescorla <ekr@rtfm.com>
CC: "public-webrtc@w3.org" <public-webrtc@w3.org>
On 17/08/2015 14:54, Eric Rescorla wrote:
> This seems like it's going to cause a lot of ossification, since it will
> mean that if
> you want to load an iframe that *can* use PC, then you will have to use
> iframe-sandbox and then you will be restricted to just the APIs that are
> presently
> whitelistable.

Hmm... Indeed, I see how that could become problematic.

> It would be fine to have PC disabled when IFRAME sandbox was used unless
> allow-rtcpeerconnection was set.

I think that would already be an improvement.

How about a CSP directive that enables RTCPeerConnection for embedded 
contexts from specific origins and defaults to false for other than self?

Dom
Received on Monday, 17 August 2015 13:10:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:45 UTC