W3C home > Mailing lists > Public > public-webrtc@w3.org > January 2018

Re: webRTC and Content Security Policy connect-src

From: Roman Shpount <roman@telurix.com>
Date: Fri, 12 Jan 2018 13:58:01 -0500
Message-ID: <CAD5OKxtfnR8nJ0kNteOXuzxVP-dsqP6P-U22-HmbQd5M0x1YTQ@mail.gmail.com>
To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Cc: T H Panton <thp@westhawk.co.uk>, Peter Thatcher <pthatcher@google.com>, Cullen Jennings <fluffy@iii.ca>, IƱaki Baz Castillo <ibc@aliax.net>, "public-webrtc@w3.org" <public-webrtc@w3.org>
I think that this is something that should be solved by listing allowed
identity providers in CSP. If remote session description was validated by
one of the listed identity providers, then browser is allowed to start
setting up the connection. Without identity webrtc is a wide open barn door
which will allow malicious JavaScript to create a side channel regardless
of what you do.

Roman Shpount
Received on Friday, 12 January 2018 18:58:34 UTC

This archive was generated by hypermail 2.3.1 : Friday, 12 January 2018 18:58:35 UTC