Re: webRTC and Content Security Policy connect-src from Peter Thatcher on 2018-01-12 (public-webrtc@w3.org from January 2018)

From: Peter Thatcher <pthatcher@google.com>
Date: Fri, 12 Jan 2018 22:16:58 +0000
To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Cc: T H Panton <thp@westhawk.co.uk>, Cullen Jennings <fluffy@iii.ca>, Iñaki Baz Castillo <ibc@aliax.net>, "public-webrtc@w3.org" <public-webrtc@w3.org>
Message-ID: <CAJrXDUF9wpx3GMgyDE7RqKbt=8bd-A-C=+du8HtomTA9_U3=hA@mail.gmail.com>

Ah, yes.  You are right.   Peer-reflexive candidates might be safe then.

On Fri, Jan 12, 2018, 2:12 PM Sergio Garcia Murillo <
sergio.garcia.murillo@gmail.com> wrote:

> On 12/01/2018 22:38, Peter Thatcher wrote:
>
>
> Unless you get lucky and peer-reflexive happens to work, which it won't if
>> both sides have the same CSP poilicy.
>>
>
> Hmmm.... I forgot about peer-reflexive candidates.  Those would allow JS
> to send data out by creating a PeerConnection, gathering STUN candidates
> along with ICE ufrag/pwd (even with a whitelisted STUN server), send those
> candidates to a controlled server, send an ICE check from the server to the
> client, and get the client connect back.
>
> Which means whitelisted domain candidates wouldn't be enough.  You'd also
> have to disable peer reflexive candidates.
>
>
> What do you mean by "send those candidates to a controlled server"? If CSP
> is in place you should not be able to do so.
>
> Regards
>
> Sergio
>
>
>

Received on Friday, 12 January 2018 22:18:02 UTC