Re: WebRTC connections do not trigger content policies. Should they?

On Friday, June 17, 2016 at 10:28:55 AM UTC-4, Paul Ellenbogen wrote: > At the moment, WebRTC does not check if connections are okay by content > policies > > . > > WebRTC data channels as a side

Re: WebRTC connections do not trigger content policies. Should they?

I think you are right. I asked on the Easy List forum and didn't get any compelling reason WebRTC could be blocked from advertisers. Advertisers would be able to do what you describe to allow for harder to block dynamic IPs. As you said elsewhere,

Re: WebRTC connections do not trigger content policies. Should they?

On Tue, Jun 21, 2016 at 12:30 PM, Daniel Veditz wrote: > On Sat, Jun 18, 2016 at 6:37 AM, Eric Rescorla wrote: > > > instead of having it sourced from the > > ​ ​ > > advertiser's > > ​ ​ > > origin, they instead stand > > up ".publisher.example.com" > > ​ ​

Re: WebRTC connections do not trigger content policies. Should they?

On Sat, Jun 18, 2016 at 6:37 AM, Eric Rescorla wrote: > instead of having it sourced from the > ​ ​ > advertiser's > ​ ​ > origin, they instead stand > up ".publisher.example.com" > ​ ​ > and > ​ ​ > point > ​ ​ > it at the advertiser's > IP addresses (via an A record to the

Re: WebRTC connections do not trigger content policies. Should they?

On Sat, Jun 18, 2016 at 4:55 PM, Anne van Kesteren wrote: > On Sat, Jun 18, 2016 at 2:37 PM, Eric Rescorla wrote: > > The priority of this proposed feature seems to depend rather a lot on > > whether enough > > advertisers are using WebRTC to deliver ads to make

Re: WebRTC connections do not trigger content policies. Should they?

On Sat, Jun 18, 2016 at 4:55 PM, Anne van Kesteren wrote: > Isn't the problem more that if you use CSP to block outgoing > connections, WebRTC can be used for exfiltration during XSS? I filed https://github.com/w3c/webappsec-csp/issues/92 to start the standards discussion.

Re: WebRTC connections do not trigger content policies. Should they?

On Sat, Jun 18, 2016 at 2:37 PM, Eric Rescorla wrote: > The priority of this proposed feature seems to depend rather a lot on > whether enough > advertisers are using WebRTC to deliver ads to make it worth some ad > blocker being > interest in adding such a blocker. Do we have any

Re: WebRTC connections do not trigger content policies. Should they?

The priority of this proposed feature seems to depend rather a lot on whether enough advertisers are using WebRTC to deliver ads to make it worth some ad blocker being interest in adding such a blocker. Do we have any evidence on this front? It's worth noting that from a security and tracking

Re: WebRTC connections do not trigger content policies. Should they?

On Fri, Jun 17, 2016 at 6:43 PM, Jan-Ivar Bruaroey wrote: > Data channels are modeled on web sockets, and I see we do this for web > sockets. https://bugzil.la/692067 > > However, data channels are typically opened to other *clients*, not > servers. > While WebRTC is typically

Re: WebRTC connections do not trigger content policies. Should they?

Data channels are modeled on web sockets, and I see we do this for web sockets. https://bugzil.la/692067 However, data channels are typically opened to other *clients*, not servers. What would the ContentLocation URI be in this case? The (dynamic) IP used to reach the other client? This

WebRTC connections do not trigger content policies. Should they?

At the moment, WebRTC does not check if connections are okay by content policies . WebRTC data channels as a side channel around content policy has potential for abuse. For example, ad blockers use