W3C home > Mailing lists > Public > public-webrtc@w3.org > January 2018

Re: webRTC and Content Security Policy connect-src

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 16 Jan 2018 09:45:46 +1100
Message-ID: <CABkgnnVGyjVpJD8OfyGhYMJ3GGKmN4ucCT+HXeTyR8btpwH4Jg@mail.gmail.com>
To: Roman Shpount <roman@telurix.com>
Cc: T H Panton <thp@westhawk.co.uk>, "public-webrtc@w3.org" <public-webrtc@w3.org>, IƱaki Baz Castillo <ibc@aliax.net>, Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>, Cullen Jennings <fluffy@iii.ca>
On Tue, Jan 16, 2018 at 5:18 AM, Roman Shpount <roman@telurix.com> wrote:
> I agree identity happen too late in the process. What is needed here is
> ability to cryptographically sign ICE candidates, TURN and STUN servers.
> Signing with certificate of some well known domain listed in CSP seems like
> a good option. This, of cause, will require API extensions to provide these
> signatures.

Actually, it doesn't need changes, just a shift in what the browser
provides to the IdP.  The main cost is in latency.  At some point it
is necessary to go back to a server and adding that for trickle ICE
would hurt.  Also, the marginal gain is tiny.  We're talking about
CSP, which is belt-and-braces defense against script issues, it's not
bulletproofing for the entire negotiation.
Received on Monday, 15 January 2018 22:46:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 15 January 2018 22:46:09 UTC