W3C home > Mailing lists > Public > public-webrtc@w3.org > January 2018

Re: webRTC and Content Security Policy connect-src

From: Roman Shpount <roman@telurix.com>
Date: Mon, 15 Jan 2018 13:18:59 -0500
Message-ID: <CAD5OKxu8JkZxZPpJTzeROPGOAwfqApNqkrzBoqibzukbY+kfsQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: T H Panton <thp@westhawk.co.uk>, "public-webrtc@w3.org" <public-webrtc@w3.org>, IƱaki Baz Castillo <ibc@aliax.net>, Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>, Cullen Jennings <fluffy@iii.ca>
On Sun, Jan 14, 2018 at 10:33 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> (Re: Roman's suggestion about identity.  Though it would be nice if we
> could do something to restrict communications based on identity,
> identity can't help here.  It takes effect too late in the process.)
>
>
I agree identity happen too late in the process. What is needed here is
ability to cryptographically sign ICE candidates, TURN and STUN servers.
Signing with certificate of some well known domain listed in CSP seems like
a good option. This, of cause, will require API extensions to provide these
signatures.

Ability to disable webrtc from CSP is great, but we need ability to
restrict web page communications even when WebRTC is used. For instance, as
a real time communication provider user, I do not want rogue javascript
sharing all my communications with third parties.

Regards,
_____________
Roman Shpount
Received on Monday, 15 January 2018 18:19:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 15 January 2018 18:19:25 UTC