Re: CSP/CORS (Re: ICE exposes 'real' local IP to javascript)

On 02/04/2015 12:53 PM, Göran Eriksson AP wrote:
>> -----Original Message-----
>> From: Martin Thomson []
>> Sent: den 4 februari 2015 07:21
>> To: Harald Alvestrand
>> Cc:
>> Subject: Re: CSP/CORS (Re: ICE exposes 'real' local IP to javascript)
>> I can't think of any application of CSP or CORS in this context.  We already
>> have consent mechanisms equivalent to CORS in the form of ICE.
>> And CSP serves only as a voluntary reduction in capabilities on the part of a
>> site.
> [GAPE:]
> Just to make it clear- this is not [intended] as a discussion about the ICE/consent mechanism. This is as far as I understand it, another matter; which tools do the well-behaved web site owners have available to have a defense-in-depth in case the web app is compromised, e.g. by content injection or simply poorly written?
> This is separate from the VPN-case, also of concern.

Thanks for clarifying your intent with mentioning these tools!

Do they belong in the spec, or do they belong in supporting material - 
"how to write a secure WebRTC application"?

(it's natural for me to think that it belongs in supporting material, 
given that I want the spec finished....)

Received on Wednesday, 4 February 2015 12:13:57 UTC