Re: webRTC and Content Security Policy connect-src

On Tue, Jan 16, 2018 at 5:18 AM, Roman Shpount <roman@telurix.com> wrote:
> I agree identity happen too late in the process. What is needed here is
> ability to cryptographically sign ICE candidates, TURN and STUN servers.
> Signing with certificate of some well known domain listed in CSP seems like
> a good option. This, of cause, will require API extensions to provide these
> signatures.

Actually, it doesn't need changes, just a shift in what the browser
provides to the IdP.  The main cost is in latency.  At some point it
is necessary to go back to a server and adding that for trickle ICE
would hurt.  Also, the marginal gain is tiny.  We're talking about
CSP, which is belt-and-braces defense against script issues, it's not
bulletproofing for the entire negotiation.

Received on Monday, 15 January 2018 22:46:08 UTC