Sorry, that's host and port. So maybe domain-name-only remote ICE candidates and TURN servers and STUN servers with whitelisted domains might work. On Fri, Jan 12, 2018, 8:20 AM Peter Thatcher <pthatcher@google.com> wrote: > As I pointed out on the other thread (why do we have 2?), disabling ICE > lite doesn't really help. You'd have to disable or limit full ICE as well, > and STUN, and TURN. Any packets being sent by the browser where the JS > can control the destination port is sufficient to convey information (I > think; am I missing something?). > > > On Fri, Jan 12, 2018, 5:22 AM Harald Alvestrand <harald@alvestrand.no> > wrote: > >> To me, it sounds like we should ban ICE-LITE altogether. >> >> We've got a lot of security story resting on the idea that the ICE >> request/response requires both ends to have seen the SDP. >> If that isn't true for ICE-LITE, then ICE-LITE is not safe for WebRTC. >> >> On 01/12/2018 01:20 PM, Sergio Garcia Murillo wrote: >> >> Missed it, that will prevent it, right. >> >> On 12/01/2018 13:11, T H Panton wrote: >> >> >> That's covered in my proposal: >> >> add a CSP turn-servers whitelist (to prevent leakage via the credentials) >> >> >> >>
Received on Friday, 12 January 2018 16:42:50 UTC