Ian: Push web standards to allow blocking WebRTC #12
Assignees
Comments
|
Status report: having prodded this along for a whole year (!), we've finally agreed on the spec language. See:
I currently have a pr out for the web platform test suite, which will probably require a few rounds of review: Once those are all settled it needs to actually get implemented in the browsers. Adding support in sandstorm will be trivial. |
zenhack
added a commit
to zenhack/sandstorm
that referenced
this issue
Jul 31, 2022
...when using ALLOW_LEGACY_RELAXED_CSP=false Note that this doesn't actually work yet, because the browsers don't implement this feature, but I've at least gotten it into the standards. I will probably have to do the implementation work myself too. But we may as well go ahead and add this to Sandstorm without waiting for the browsers. See also: sandstormports/community-project#12
zenhack
added a commit
to zenhack/sandstorm
that referenced
this issue
Jul 31, 2022
...when using ALLOW_LEGACY_RELAXED_CSP=false Note that this doesn't actually work yet, because the browsers don't implement this feature, but I've at least gotten it into the standards. I will probably have to do the implementation work myself too. But we may as well go ahead and add this to Sandstorm without waiting for the browsers. See also: sandstormports/community-project#12
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We're close to closing the client-side loophole, but it's currently not possible to block WebRTC with CSP; that will require changes to web standards (and browsers, obviously). I'm trying to get some discussion going in the w3c about making this happen, it looks like there was some effort in this direction that stalled:
w3c/webappsec-csp#287 (comment)
The text was updated successfully, but these errors were encountered: