On 15/01/2018 18:45, Eric Rescorla wrote:
>
> On Mon, Jan 15, 2018 at 7:16 AM, Sergio Garcia Murillo
> <sergio.garcia.murillo@gmail.com
> <mailto:sergio.garcia.murillo@gmail.com>> wrote:
>
> Well, I don't agree with how that statement is written (although I
> think we share the same idea)
>
> WebRTC must be *disabled* by default if CSP is in place.
>
>
> Hmm... you mean with *existing* CSP? That seems like it violates the
> principle of least astonishment quite baly.
I think actually it is just the opposite.
Let me explain: now you set CSP connect-src to forbid sending/receiving
data except from the specified hosts, but it doesn't matter, because
WebRTC allows to send and receive data from any place via datachanels..
As a web developer, I would expect that if set CSP connect-src to
http://whatever, WebRTC would not be able to leak data to a rogue
datachannel server.
Best regards
Sergio