Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSP: block WebRTC #479

Closed
wants to merge 1 commit into from
Closed

CSP: block WebRTC #479

wants to merge 1 commit into from

Conversation

Seirdy
Copy link
Contributor

@Seirdy Seirdy commented Aug 6, 2022

Merged to the webappsec-csp repo in April:
w3c/webappsec-csp#457

@thestinger
Copy link
Member

Is it implemented by any browsers yet?

@Seirdy
Copy link
Contributor Author

Seirdy commented Aug 7, 2022

Not yet, unfortunately. I expect Chromium will implement this.

I think it'll be an important directive since WebRTC does not go through Fetch. Closing this loophole was one of the most demanded CSP features in the past.

@Seirdy
Copy link
Contributor Author

Seirdy commented Aug 11, 2022 via email

@Seirdy
Copy link
Contributor Author

Seirdy commented Aug 12, 2022

It looks like this is unnecessary, given that the Permissions-Policy already blocks WebRTC.

@Seirdy Seirdy closed this Aug 12, 2022
@thestinger
Copy link
Member

I don't think there's a Permissions-Policy setting for WebRTC itself.

@thestinger thestinger reopened this Aug 12, 2022
@ghost
Copy link

ghost commented Aug 12, 2022

w3c/webappsec-permissions-policy#250

This issue seems to indicate that there is no webrtc Permissions-Policy

@Seirdy
Copy link
Contributor Author

Seirdy commented Aug 13, 2022 via email

@thestinger thestinger force-pushed the main branch 10 times, most recently from f68494a to b0b84a0 Compare August 18, 2022 19:51
@thestinger thestinger force-pushed the main branch 2 times, most recently from c6701d3 to 66132ef Compare August 26, 2022 03:15
@thestinger
Copy link
Member

@Seirdy We had to rebase the repository to fix some commit messages for a legal reason. Can you rebase this?

Merged to the webappsec-csp repo in April:
w3c/webappsec-csp#457
@Seirdy
Copy link
Contributor Author

Seirdy commented Oct 11, 2022 via email

@thestinger thestinger force-pushed the main branch 2 times, most recently from 8faae51 to 35468ab Compare October 14, 2022 02:25
@thestinger thestinger force-pushed the main branch 10 times, most recently from c70441d to fcbce2d Compare May 6, 2023 19:34
@thestinger thestinger force-pushed the main branch 2 times, most recently from dea31f5 to d7eacfb Compare May 29, 2023 07:05
@thestinger thestinger force-pushed the main branch 3 times, most recently from 6ca4922 to 14ce3de Compare June 13, 2023 17:34
@thestinger thestinger force-pushed the main branch 4 times, most recently from 283f8fe to 85afa18 Compare June 21, 2023 18:59
@thestinger thestinger force-pushed the main branch 4 times, most recently from beaf7c9 to 6ae13d7 Compare June 27, 2023 18:16
@thestinger thestinger force-pushed the main branch 5 times, most recently from 4b05c91 to 65ced09 Compare July 6, 2023 03:39
@thestinger thestinger closed this Jul 11, 2023
@thestinger
Copy link
Member

This is implemented now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants