W3C home > Mailing lists > Public > public-webrtc@w3.org > January 2018

Re: webRTC and Content Security Policy connect-src

From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Date: Mon, 15 Jan 2018 19:01:42 +0100
To: Eric Rescorla <ekr@rtfm.com>
Cc: Byron Campen <docfaraday@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, T H Panton <thp@westhawk.co.uk>, "public-webrtc@w3.org" <public-webrtc@w3.org>, IƱaki Baz Castillo <ibc@aliax.net>, Cullen Jennings <fluffy@iii.ca>
Message-ID: <47b8bbef-408c-e15a-9536-c74ee11b5b07@gmail.com>
On 15/01/2018 18:45, Eric Rescorla wrote:
>
> On Mon, Jan 15, 2018 at 7:16 AM, Sergio Garcia Murillo 
> <sergio.garcia.murillo@gmail.com 
> <mailto:sergio.garcia.murillo@gmail.com>> wrote:
>
>     Well, I don't agree with how that statement is written (although I
>     think we share the same idea)
>
>     WebRTC must be *disabled* by default if CSP is in place.
>
>
> Hmm... you mean with *existing* CSP? That seems like it violates the 
> principle of least astonishment quite baly.

I think actually it is just the opposite.

Let me explain: now you set CSP connect-src to forbid sending/receiving 
data except from the specified hosts, but it doesn't matter, because 
WebRTC allows to send and receive data from any place via datachanels..

As a web developer, I would expect that if set CSP connect-src to 
http://whatever, WebRTC would not be able to leak data to a rogue 
datachannel server.

Best regards
Sergio
Received on Monday, 15 January 2018 18:02:10 UTC

This archive was generated by hypermail 2.3.1 : Monday, 15 January 2018 18:02:10 UTC