Re: WebRTC connections do not trigger content policies. Should they?

On Sat, Jun 18, 2016 at 4:55 PM, Anne van Kesteren wrote: > On Sat, Jun 18, 2016 at 2:37 PM, Eric Rescorla wrote: > > The priority of this proposed feature seems to depend rather a lot on > > whether enough > > advertisers are using WebRTC to deliver ads to make

Re: WebRTC connections do not trigger content policies. Should they?

On Sat, Jun 18, 2016 at 4:55 PM, Anne van Kesteren wrote: > Isn't the problem more that if you use CSP to block outgoing > connections, WebRTC can be used for exfiltration during XSS? I filed https://github.com/w3c/webappsec-csp/issues/92 to start the standards discussion.

Re: WebRTC connections do not trigger content policies. Should they?

On Sat, Jun 18, 2016 at 2:37 PM, Eric Rescorla wrote: > The priority of this proposed feature seems to depend rather a lot on > whether enough > advertisers are using WebRTC to deliver ads to make it worth some ad > blocker being > interest in adding such a blocker. Do we have any

Re: WebRTC connections do not trigger content policies. Should they?

The priority of this proposed feature seems to depend rather a lot on whether enough advertisers are using WebRTC to deliver ads to make it worth some ad blocker being interest in adding such a blocker. Do we have any evidence on this front? It's worth noting that from a security and tracking

Re: WebRTC connections do not trigger content policies. Should they?

On Fri, Jun 17, 2016 at 6:43 PM, Jan-Ivar Bruaroey wrote: > Data channels are modeled on web sockets, and I see we do this for web > sockets. https://bugzil.la/692067 > > However, data channels are typically opened to other *clients*, not > servers. > While WebRTC is typically