W3C home > Mailing lists > Public > public-webrtc@w3.org > January 2018

Re: webRTC and Content Security Policy connect-src

From: Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com>
Date: Tue, 16 Jan 2018 10:36:57 +0000
To: Harald Alvestrand <harald@alvestrand.no>, "public-webrtc@w3.org" <public-webrtc@w3.org>
Message-ID: <HE1PR07MB3418F4CBB2060396B89448F4C9EA0@HE1PR07MB3418.eurprd07.prod.outlook.com>
On 15/01/18 23:19, Harald Alvestrand wrote:
> I think there's a pretty obvious intersection here: If CSP connect-src:
> is set, only access to addresses that are already known to be addresses
> of permitted hosts are permitted.
> That allows a single use case that I can see: Centralized conferencing
> servers, with all servers including STUN servers named by DNS names that
> can be looked up in advance.

Would not TURN servers (named by DNS names that can be looked up in 
advance) be allowed as well?

> Pretty close to "disable WebRTC".

If TURN is OK it would be "allow WebRTC via relay only".
Received on Tuesday, 16 January 2018 10:38:16 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 16 January 2018 10:38:18 UTC