W3C home > Mailing lists > Public > public-webrtc@w3.org > January 2018

Re: webRTC and Content Security Policy connect-src

From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Date: Fri, 12 Jan 2018 19:36:11 +0100
To: T H Panton <thp@westhawk.co.uk>
Cc: Peter Thatcher <pthatcher@google.com>, Cullen Jennings <fluffy@iii.ca>, Iņaki Baz Castillo <ibc@aliax.net>, "public-webrtc@w3.org" <public-webrtc@w3.org>
Message-ID: <bfd2d128-02bf-9a19-635c-1251941119e2@gmail.com>
On 12/01/2018 19:22, T H Panton wrote:
> On 12 Jan 2018, at 18:17, Sergio Garcia Murillo 
> <sergio.garcia.murillo@gmail.com 
> <mailto:sergio.garcia.murillo@gmail.com>> wrote:
>>
>>   * remote candidates: any remote candidate passed to an PC (either
>>     on the setRemoteDescription or addIceCandidate) not maching an
>>     entry on the whitelist will be discarded
>>
> You've just disabled P2P in webrtc. Unless you get lucky and 
> peer-reflexive happens to work, which it won't if both sides have the 
> same CSP poilicy.
Exactly, but you can enable it back by adding "ice:*" if you understand 
the risks or not using CSP at all. Also, note that on your banking case, 
you can deliver different CSP headers to users and to the agents.

Regards
Sergio
Received on Friday, 12 January 2018 18:36:33 UTC

This archive was generated by hypermail 2.3.1 : Friday, 12 January 2018 18:36:34 UTC