W3C home > Mailing lists > Public > public-webrtc@w3.org > January 2018

Re: webRTC and Content Security Policy connect-src

From: T H Panton <thp@westhawk.co.uk>
Date: Fri, 12 Jan 2018 12:56:15 +0000
Cc: Iñaki Baz Castillo <ibc@aliax.net>, "public-webrtc@w3.org" <public-webrtc@w3.org>, Cullen Jennings <fluffy@iii.ca>
Message-Id: <360244BB-D07C-4DD6-8B32-430EA9078EE4@westhawk.co.uk>
To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>


> On 12 Jan 2018, at 12:44, Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> wrote:
> 
> On 12/01/2018 13:27, Iñaki Baz Castillo wrote:
>> And as I already pointed out, my proposal above was just intended to
>> make both, Full ICE and ICE Lite, equally safe. :)
>> 
>> Leaking data via TURN credentials is a different subject (not less important).
> 
> Ok, I agree with that, but as Tim said this will require changes on IETF stun.

On reflection I think we should do both, lets make a sensible mention of webRTC in the CSP on the w3c side
and make these ICE changes on the IETF side.

> 
> Before going that route, it would be worthy to think if it makes sense at all to enable P2P communications (ice-lite or ice, dc or media) at all on a web page that has restricted the data origins/dests via CSP.
> 
> A rule to disable webrtc if CSP is enabled would be enough for 99% of cases and trivial to implement as phase 0.

I think that would cause a problem for video enrolment on banking sites, which is becoming pretty
popular. 
A site should be able to use webRTC and have CSP - we want to at |pipe| - I'm pretty sure folks like skype and wire do too.

> 
> Best regards
> 
> Sergio
> 
Received on Friday, 12 January 2018 12:56:39 UTC

This archive was generated by hypermail 2.3.1 : Friday, 12 January 2018 12:56:40 UTC