Re: webRTC and Content Security Policy connect-src from Roman Shpount on 2018-01-12 (public-webrtc@w3.org from January 2018)

From: Roman Shpount <roman@telurix.com>
Date: Fri, 12 Jan 2018 13:58:01 -0500
To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Cc: T H Panton <thp@westhawk.co.uk>, Peter Thatcher <pthatcher@google.com>, Cullen Jennings <fluffy@iii.ca>, Iñaki Baz Castillo <ibc@aliax.net>, "public-webrtc@w3.org" <public-webrtc@w3.org>
Message-ID: <CAD5OKxtfnR8nJ0kNteOXuzxVP-dsqP6P-U22-HmbQd5M0x1YTQ@mail.gmail.com>

I think that this is something that should be solved by listing allowed
identity providers in CSP. If remote session description was validated by
one of the listed identity providers, then browser is allowed to start
setting up the connection. Without identity webrtc is a wide open barn door
which will allow malicious JavaScript to create a side channel regardless
of what you do.

Regards,
_____________
Roman Shpount

Received on Friday, 12 January 2018 18:58:34 UTC