Re: webRTC and Content Security Policy connect-src

On 15/01/2018 18:45, Eric Rescorla wrote:
>
> On Mon, Jan 15, 2018 at 7:16 AM, Sergio Garcia Murillo 
> <sergio.garcia.murillo@gmail.com 
> <mailto:sergio.garcia.murillo@gmail.com>> wrote:
>
>     Well, I don't agree with how that statement is written (although I
>     think we share the same idea)
>
>     WebRTC must be *disabled* by default if CSP is in place.
>
>
> Hmm... you mean with *existing* CSP? That seems like it violates the 
> principle of least astonishment quite baly.

I think actually it is just the opposite.

Let me explain: now you set CSP connect-src to forbid sending/receiving 
data except from the specified hosts, but it doesn't matter, because 
WebRTC allows to send and receive data from any place via datachanels..

As a web developer, I would expect that if set CSP connect-src to 
http://whatever, WebRTC would not be able to leak data to a rogue 
datachannel server.

Best regards
Sergio

Received on Monday, 15 January 2018 18:02:10 UTC