- From: Göran Eriksson AP <goran.ap.eriksson@ericsson.com>
- Date: Tue, 12 May 2015 19:00:27 +0000
- To: Cullen Jennings <fluffy@cisco.com>
- CC: "public-webrtc@w3.org" <public-webrtc@w3.org>
Hi Cullen, Thanks for asking, :-). Please see below for answers. > >Hi, regardless of anything to do with charters, I just wanted to learn a >but more about what you had in mind with the following: We really do not want to trigger a discussion right now in the WG that takes focus from finishing 1.0 and then bringing 1.0 and ORTC together- our interest is merely to ensure work can be done after that has been secured, say sometime Q1 2016 (hopefully!). > >> On May 7, 2015, at 7:29 AM, Göran Eriksson AP >><goran.ap.eriksson@ericsson.com> wrote: >> >> * harmonization with rest of WebAppSec (and others) about Web platform >> security evolution > >Thoughts on what's needed? I worry that much of the security will be >largely unchangeable by the time we ship 1.0 so want to check if there is >anything we need to deal with now. Of course agree harmonization is good, >just not sure what is needed. One example is the WebAppSec WG Permission API (getusermedia of course but as an example). > > >> * General User Security and Privacy improvements > >Again, I worry that later things will only make the privacy worse not >better so love to hear what you have in mind. I could imagine discussing using CSP directive for controlling the ICE candidates exposure, perhaps the ICE origin as well. And enforcing stuns, turns perhaps? > > >> * Delegation use cases (Web app from one origin, part of find and >> connect, TURN, conference servers from another provider (and origin)) >> for verticals like Financial, E-health and Manufacturing > >As long as TURN credentials are coordinated between the TURN provider >and web provider (and there is work to improve that as you know), it >seems to work now to get TURN servers from one provider, conferencing >servers from another, and build the website on yet another origin, and >the rendezvous servers could be via another service. For example, I've >seen apps with PubHub for rendezvous, Tropo for media server, and >webserver off Heroku. Something more needed? It is not that it does not work, itıs if it can be made more secure. In the case of delegation, often a JSL comes along to manage the peerConnection. This is something one would like to isolate from the rest of the web app from the origin. Our first webkit contribution many years ago for this purpose was the sandbox flag on the iFrame. Not iFrame is not the way to go nowadays apparently, but the basic idea of isolating a JSL from other origins is still one worthwhile exploring we think. I should mention that much of this may not be about specifications but perhaps Best practice or something similar. But again, we really do not wish to have this discussion on the list taking focus from the work lying ahead; finishing 1.0 and bringing ORTC and webRTC 1.0 together. Itıs about the charter and opening up for new work after that as been done. Perhaps something for a WebRTC session at TPAC? Be well! Göran > >
Received on Tuesday, 12 May 2015 19:00:53 UTC