Re: webRTC and Content Security Policy connect-src from Sergio Garcia Murillo on 2018-01-15 (public-webrtc@w3.org from January 2018)

From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Date: Mon, 15 Jan 2018 19:01:20 +0100
To: Eric Rescorla <ekr@rtfm.com>
Cc: Byron Campen <docfaraday@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, T H Panton <thp@westhawk.co.uk>, "public-webrtc@w3.org" <public-webrtc@w3.org>, Iñaki Baz Castillo <ibc@aliax.net>, Cullen Jennings <fluffy@iii.ca>
Message-ID: <8bf4489a-69b9-b184-4abe-8a8de0d74774@gmail.com>

On 15/01/2018 18:45, Eric Rescorla wrote:
>
> On Mon, Jan 15, 2018 at 7:16 AM, Sergio Garcia Murillo 
> <sergio.garcia.murillo@gmail.com 
> <mailto:sergio.garcia.murillo@gmail.com>> wrote:
>
>     Well, I don't agree with how that statement is written (although I
>     think we share the same idea)
>
>     WebRTC must be *disabled* by default if CSP is in place.
>
>
> Hmm... you mean with *existing* CSP? That seems like it violates the 
> principle of least astonishment quite baly.

I think actually it is just the opposite.

Let me explain: now you set CSP connect-src to forbid sending/receiving 
data except from the specified hosts, but it doesn't matter, because 
WebRTC allows to send and receive data from any place via datachanels..

As a web developer, I would expect that if set CSP connect-src to 
http://whatever, WebRTC would not be able to leaked data.

Best regards
Sergio

Received on Monday, 15 January 2018 18:01:51 UTC