On Mon, Aug 17, 2015 at 6:10 AM, Dominique Hazael-Massieux <dom@w3.org> wrote: > On 17/08/2015 14:54, Eric Rescorla wrote: > >> This seems like it's going to cause a lot of ossification, since it will >> mean that if >> you want to load an iframe that *can* use PC, then you will have to use >> iframe-sandbox and then you will be restricted to just the APIs that are >> presently >> whitelistable. >> > > Hmm... Indeed, I see how that could become problematic. > > It would be fine to have PC disabled when IFRAME sandbox was used unless >> allow-rtcpeerconnection was set. >> > > I think that would already be an improvement. > > How about a CSP directive that enables RTCPeerConnection for embedded > contexts from specific origins and defaults to false for other than self? > Seems like a question for WebAppSec. It's not like this is the only thing that's problematic in IFRAMEs -EkrReceived on Monday, 17 August 2015 13:16:28 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:18:08 UTC