Re: webRTC and Content Security Policy connect-src

On 12/01/2018 19:22, T H Panton wrote:
> On 12 Jan 2018, at 18:17, Sergio Garcia Murillo 
> <sergio.garcia.murillo@gmail.com 
> <mailto:sergio.garcia.murillo@gmail.com>> wrote:
>>
>>   * remote candidates: any remote candidate passed to an PC (either
>>     on the setRemoteDescription or addIceCandidate) not maching an
>>     entry on the whitelist will be discarded
>>
> You've just disabled P2P in webrtc. Unless you get lucky and 
> peer-reflexive happens to work, which it won't if both sides have the 
> same CSP poilicy.
Exactly, but you can enable it back by adding "ice:*" if you understand 
the risks or not using CSP at all. Also, note that on your banking case, 
you can deliver different CSP headers to users and to the agents.

Regards
Sergio

Received on Friday, 12 January 2018 18:36:33 UTC