W3C home > Mailing lists > Public > public-webrtc@w3.org > January 2018

Re: webRTC and Content Security Policy connect-src

From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Date: Fri, 12 Jan 2018 13:44:52 +0100
To: Iñaki Baz Castillo <ibc@aliax.net>
Cc: T H Panton <thp@westhawk.co.uk>, "public-webrtc@w3.org" <public-webrtc@w3.org>, Cullen Jennings <fluffy@iii.ca>
Message-ID: <f0bfa16c-7b30-bb02-356d-3a59e30329fa@gmail.com>
On 12/01/2018 13:27, Iñaki Baz Castillo wrote:
> And as I already pointed out, my proposal above was just intended to
> make both, Full ICE and ICE Lite, equally safe. :)
>
> Leaking data via TURN credentials is a different subject (not less important).

Ok, I agree with that, but as Tim said this will require changes on IETF 
stun.

Before going that route, it would be worthy to think if it makes sense 
at all to enable P2P communications (ice-lite or ice, dc or media) at 
all on a web page that has restricted the data origins/dests via CSP.

A rule to disable webrtc if CSP is enabled would be enough for 99% of 
cases and trivial to implement as phase 0.

Best regards

Sergio
Received on Friday, 12 January 2018 12:45:13 UTC

This archive was generated by hypermail 2.3.1 : Friday, 12 January 2018 12:45:14 UTC