Sorry, that's host and port. So maybe domain-name-only remote ICE
candidates and TURN servers and STUN servers with whitelisted domains might
work.
On Fri, Jan 12, 2018, 8:20 AM Peter Thatcher <pthatcher@google.com> wrote:
> As I pointed out on the other thread (why do we have 2?), disabling ICE
> lite doesn't really help. You'd have to disable or limit full ICE as well,
> and STUN, and TURN. Any packets being sent by the browser where the JS
> can control the destination port is sufficient to convey information (I
> think; am I missing something?).
>
>
> On Fri, Jan 12, 2018, 5:22 AM Harald Alvestrand <harald@alvestrand.no>
> wrote:
>
>> To me, it sounds like we should ban ICE-LITE altogether.
>>
>> We've got a lot of security story resting on the idea that the ICE
>> request/response requires both ends to have seen the SDP.
>> If that isn't true for ICE-LITE, then ICE-LITE is not safe for WebRTC.
>>
>> On 01/12/2018 01:20 PM, Sergio Garcia Murillo wrote:
>>
>> Missed it, that will prevent it, right.
>>
>> On 12/01/2018 13:11, T H Panton wrote:
>>
>>
>> That's covered in my proposal:
>>
>> add a CSP turn-servers whitelist (to prevent leakage via the credentials)
>>
>>
>>
>>