- From: Dominique Hazael-Massieux <dom@w3.org>
- Date: Mon, 17 Aug 2015 15:10:16 +0200
- To: Eric Rescorla <ekr@rtfm.com>
- CC: "public-webrtc@w3.org" <public-webrtc@w3.org>
On 17/08/2015 14:54, Eric Rescorla wrote: > This seems like it's going to cause a lot of ossification, since it will > mean that if > you want to load an iframe that *can* use PC, then you will have to use > iframe-sandbox and then you will be restricted to just the APIs that are > presently > whitelistable. Hmm... Indeed, I see how that could become problematic. > It would be fine to have PC disabled when IFRAME sandbox was used unless > allow-rtcpeerconnection was set. I think that would already be an improvement. How about a CSP directive that enables RTCPeerConnection for embedded contexts from specific origins and defaults to false for other than self? Dom
Received on Monday, 17 August 2015 13:10:21 UTC