[webrtc-pc] Integrate CSP access control into algorithms

alvestrand has just created a new issue for https://github.com/w3c/webrtc-pc:

== Integrate CSP access control into algorithms ==
If https://github.com/w3c/webappsec-csp/pull/287 lands in the CSP spec, the webrtc spec should specify where and how this access is checked.

As per comment in that thread, suggestion:

The following situations are to be checked according to this directive:

* A host URL occurs in the list of RTCIceServers of an RTCConfiguration when a PeerConnection is created. In this case, the PeerConnection creation will fail.
* A host URL occurs in the list of RTCIceServers of an RTCConfiguration when a PeerConnection's setConfiguration method is called. In this case, setting the configuration will fail.
* An address occurs in the ip, protocol and port fields of an RTCIceCandidate created from SetRemoteDescription or AddIceCandidate. In this case, the call will be rejected.

And perhaps a note of caution, something like: "Due to the problem of listing all possible communication partners for a WebRTC application, the "*" value is likely to be the most useful value to set as the value of the "webrtc-src" directive".


Please view or discuss this issue at https://github.com/w3c/webrtc-pc/issues/1742 using your GitHub account

Received on Friday, 19 January 2018 08:20:41 UTC