Integrate CSP access control into algorithms #36
Comments
I will prefer to ignore that ICE candidate instead of dropping the whole call. That would allow to specify the TURN server ip on the CSP directive and get a P2P call going through it without needed to modify any existing code. If we drop the call, the SDP/candidates would need to be filtered out by the app to be able to do so. |
|
Referencing #1727 (cause bug) and w3c/webappsec-csp#287 (suggested CSP change) for context. |
|
Discussion is ongoing at the webappsec-csp bug. |
|
@alvestrand the discussion seems to have stalled in CSP; if we want this to be part of 1.0, I think it would be useful to rekindle progress on this |
|
Since this is a new feature, and we've stopped adding new features, I'm moving this to the NV repo. |
|
@alvestrand Does CSP require its own use case, or can we add a CSP requirement to another use case such as the Secure Conferencing Use Case PR #34 ? |
|
I'd classify this as a general issue. It can't really be tied to a specific use case. |
|
@lgrahl. Makes sense to not tie it to a specific use case. Will add it to the requirements list and cite it in multiple use cases. |
|
With merger of PR 38, closing this issue. |
If w3c/webappsec-csp#287 lands in the CSP spec, the webrtc spec should specify where and how this access is checked.
As per comment in that thread, suggestion:
The following situations are to be checked according to this directive:
And perhaps a note of caution, something like: "Due to the problem of listing all possible communication partners for a WebRTC application, the "*" value is likely to be the most useful value to set as the value of the "webrtc-src" directive".
The text was updated successfully, but these errors were encountered: