Re: webRTC and Content Security Policy connect-src

On 15/01/18 23:19, Harald Alvestrand wrote:
> I think there's a pretty obvious intersection here: If CSP connect-src:
> is set, only access to addresses that are already known to be addresses
> of permitted hosts are permitted.
> 
> That allows a single use case that I can see: Centralized conferencing
> servers, with all servers including STUN servers named by DNS names that
> can be looked up in advance.

Would not TURN servers (named by DNS names that can be looked up in 
advance) be allowed as well?

> 
> Pretty close to "disable WebRTC".

If TURN is OK it would be "allow WebRTC via relay only".


Received on Tuesday, 16 January 2018 10:38:16 UTC