-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security considerations section - second PR #194
Conversation
This expands the security considerations section a little.
LGTM! |
lgtm |
<ul> | ||
<li>Always requesting permission to communicate using ICE. This | ||
ensures that the browser can only send to partners who you have | ||
shared credentials with.</li> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think that prompting the user is one of the mitigations we are OK with - needs more discution with WG
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This confused me the first time as well, but I think the intent here is that "ICE is always used, and so you can only communicate with endpoints that are expecting inbound traffic", not that an infobar shows up.
I agree it should be reworded to make it clear it's the remote endpoint's permission that we are talking about.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The word "consent" was used here because "consent (to communicate)" is the term used in the IETF base spec. The fact that people act as if "consent" means "user prompt" no matter what the context is is unfortunate, but probably will pass. The text is, after all, rather explicit that this section does not do user prompting.
Still, edits can be suggested.
Adding security considerations. This replaces PR #15 .