W3C home > Mailing lists > Public > public-webrtc@w3.org > February 2015

Re: CSP/CORS (Re: ICE exposes 'real' local IP to javascript)

From: Harald Alvestrand <harald@alvestrand.no>
Date: Wed, 04 Feb 2015 13:13:27 +0100
Message-ID: <54D20CE7.3010303@alvestrand.no>
To: Göran Eriksson AP <goran.ap.eriksson@ericsson.com>, Martin Thomson <martin.thomson@gmail.com>
CC: "public-webrtc@w3.org" <public-webrtc@w3.org>
On 02/04/2015 12:53 PM, Göran Eriksson AP wrote:
>
>> -----Original Message-----
>> From: Martin Thomson [mailto:martin.thomson@gmail.com]
>> Sent: den 4 februari 2015 07:21
>> To: Harald Alvestrand
>> Cc: public-webrtc@w3.org
>> Subject: Re: CSP/CORS (Re: ICE exposes 'real' local IP to javascript)
>>
>> I can't think of any application of CSP or CORS in this context.  We already
>> have consent mechanisms equivalent to CORS in the form of ICE.
>> And CSP serves only as a voluntary reduction in capabilities on the part of a
>> site.
> [GAPE:]
> Just to make it clear- this is not [intended] as a discussion about the ICE/consent mechanism. This is as far as I understand it, another matter; which tools do the well-behaved web site owners have available to have a defense-in-depth in case the web app is compromised, e.g. by content injection or simply poorly written?
>
> This is separate from the VPN-case, also of concern.
>

Thanks for clarifying your intent with mentioning these tools!

Do they belong in the spec, or do they belong in supporting material - 
"how to write a secure WebRTC application"?

(it's natural for me to think that it belongs in supporting material, 
given that I want the spec finished....)
Received on Wednesday, 4 February 2015 12:13:57 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:43 UTC