Re: CSP for WebRTC from Martin Thomson on 2014-09-02 (public-webappsec@w3.org from September 2014)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 1 Sep 2014 20:21:12 -0700
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CABkgnnX6Pj_vtuneaRKtFAsOvVbKhLxvnQ7+TP5JwhLOD6tgCQ@mail.gmail.com>

On Sep 1, 2014 1:55 AM, "Anne van Kesteren" <annevk@annevk.nl> wrote:
>
> On Fri, Aug 29, 2014 at 1:29 AM, Martin Thomson
> <martin.thomson@gmail.com> wrote:
> > Unlike other sources of script-accessible data, peer-to-peer data is
> > not associated with an origin, so I think that the only thing to do is
> > to clump all WebRTC data into a single group and identify that group
> > with a keyword source.
>
> Could you perhaps explain or provide a pointer that explains the security
model?

https://tools.ietf.org/html/draft-rtcweb-security should do it.

> > Thus, I'd like to suggest a new keyword-source of 'webrtc-data',
> > governing the use of WebRTC data channels. That leaves the option to
> > block 'webrtc-media' in the future.  Alternatively, or in addition to
> > that, a single keyword 'webrtc' might cover both, should that be
> > desired.
>
> Should we tie the name to WebRTC or name this p2p/rtc in case other
> protocols come along such as ORTC?

ORTC is still going to be WebRTC. It is either 1.1 or 2.0, but the basic
name is ok.

Received on Tuesday, 2 September 2014 03:21:39 UTC