Re: webRTC and Content Security Policy connect-src from Sergio Garcia Murillo on 2018-01-12 (public-webrtc@w3.org from January 2018)

From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Date: Fri, 12 Jan 2018 23:12:30 +0100
To: Peter Thatcher <pthatcher@google.com>, T H Panton <thp@westhawk.co.uk>
Cc: Cullen Jennings <fluffy@iii.ca>, Iñaki Baz Castillo <ibc@aliax.net>, "public-webrtc@w3.org" <public-webrtc@w3.org>
Message-ID: <260fc223-b2ef-9e4d-6247-d7c8938bb749@gmail.com>

On 12/01/2018 22:38, Peter Thatcher wrote:
>
>     Unless you get lucky and peer-reflexive happens to work, which it
>     won't if both sides have the same CSP poilicy.
>
>
> Hmmm.... I forgot about peer-reflexive candidates.  Those would allow 
> JS to send data out by creating a PeerConnection, gathering STUN 
> candidates along with ICE ufrag/pwd (even with a whitelisted STUN 
> server), send those candidates to a controlled server, send an ICE 
> check from the server to the client, and get the client connect back.
>
> Which means whitelisted domain candidates wouldn't be enough.  You'd 
> also have to disable peer reflexive candidates.

What do you mean by "send those candidates to a controlled server"? If 
CSP is in place you should not be able to do so.

Regards
Sergio

Received on Friday, 12 January 2018 22:13:02 UTC