Re: webRTC and Content Security Policy connect-src from Roman Shpount on 2018-01-15 (public-webrtc@w3.org from January 2018)

From: Roman Shpount <roman@telurix.com>
Date: Mon, 15 Jan 2018 13:18:59 -0500
To: Martin Thomson <martin.thomson@gmail.com>
Cc: T H Panton <thp@westhawk.co.uk>, "public-webrtc@w3.org" <public-webrtc@w3.org>, Iñaki Baz Castillo <ibc@aliax.net>, Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>, Cullen Jennings <fluffy@iii.ca>
Message-ID: <CAD5OKxu8JkZxZPpJTzeROPGOAwfqApNqkrzBoqibzukbY+kfsQ@mail.gmail.com>

On Sun, Jan 14, 2018 at 10:33 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> (Re: Roman's suggestion about identity.  Though it would be nice if we
> could do something to restrict communications based on identity,
> identity can't help here.  It takes effect too late in the process.)
>
>
I agree identity happen too late in the process. What is needed here is
ability to cryptographically sign ICE candidates, TURN and STUN servers.
Signing with certificate of some well known domain listed in CSP seems like
a good option. This, of cause, will require API extensions to provide these
signatures.

Ability to disable webrtc from CSP is great, but we need ability to
restrict web page communications even when WebRTC is used. For instance, as
a real time communication provider user, I do not want rogue javascript
sharing all my communications with third parties.

Regards,
_____________
Roman Shpount

Received on Monday, 15 January 2018 18:19:24 UTC