From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mail.toke.dk; spf=pass (mailfrom) smtp.mailfrom=irif.fr (client-ip=2001:660:3301:8000::1:2; helo=korolev.univ-paris7.fr; envelope-from=jch@irif.fr; receiver=) Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) by mail.toke.dk (Postfix) with ESMTPS id 161D57D88D0 for ; Mon, 1 Feb 2021 01:45:23 +0100 (CET) Received: from potemkin.univ-paris7.fr (potemkin.univ-paris7.fr [IPv6:2001:660:3301:8000::1:1]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id 1110jMLC020694 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 1 Feb 2021 01:45:22 +0100 Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by potemkin.univ-paris7.fr (8.14.4/8.14.4/relay2/82085) with ESMTP id 1110jMT2003115; Mon, 1 Feb 2021 01:45:22 +0100 Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id C4BCACEEE4; Mon, 1 Feb 2021 01:45:22 +0100 (CET) X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id pKzzDfKKQVSv; Mon, 1 Feb 2021 01:45:21 +0100 (CET) Received: from pirx.irif.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 48FB0CEEE2; Mon, 1 Feb 2021 01:45:21 +0100 (CET) Date: Mon, 01 Feb 2021 01:45:21 +0100 Message-ID: <87pn1k39b2.wl-jch@irif.fr> From: Juliusz Chroboczek To: Michael =?ISO-8859-1?Q?Str=F6der?= In-Reply-To: <8aea027c-63f9-9600-f084-dd3ebf569ef8@stroeder.com> References: <2fdb1db7-27f7-c23d-f2ca-11b9c59db125@stroeder.com> <87pn1q9mc9.wl-jch@irif.fr> <87o8ha9m7g.wl-jch@irif.fr> <87k0ry9l86.wl-jch@irif.fr> <61231ca5-474e-d180-391e-8f0b0ddb77d0@stroeder.com> <87ft2m9hve.wl-jch@irif.fr> <8aea027c-63f9-9600-f084-dd3ebf569ef8@stroeder.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.1 Mule/6.0 MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=ISO-8859-1 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]); Mon, 01 Feb 2021 01:45:22 +0100 (CET) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (potemkin.univ-paris7.fr [194.254.61.141]); Mon, 01 Feb 2021 01:45:22 +0100 (CET) X-Miltered: at korolev with ID 60174F22.001 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)! X-Miltered: at potemkin with ID 60174F22.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)! X-j-chkmail-Enveloppe: 60174F22.001 from potemkin.univ-paris7.fr/potemkin.univ-paris7.fr/null/potemkin.univ-paris7.fr/ X-j-chkmail-Enveloppe: 60174F22.000 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/ X-j-chkmail-Score: MSGID : 60174F22.001 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000 X-j-chkmail-Score: MSGID : 60174F22.000 on potemkin.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000 X-j-chkmail-Status: Ham X-j-chkmail-Status: Ham Content-Transfer-Encoding: quoted-printable Message-ID-Hash: PK5XHPCSEGAU3ER6IP7J42QLW7GJ5C5P X-Message-ID-Hash: PK5XHPCSEGAU3ER6IP7J42QLW7GJ5C5P X-MailFrom: jch@irif.fr X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: galene@lists.galene.org X-Mailman-Version: 3.3.2 Precedence: list Subject: [Galene] Re: "This operation is insecure" List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: > Ok, following your advice I've successfully tested normal video > conference with an Safari-on-iPad user and the following complete CSP > header: I'm a little concerned that if you tweak Gal=E8ne's defaults, your bug reports will be somewhat less useful to me than they would be otherwise. So would you please explain what kind of attacks you're trying to avoid, so we can converge on a common header that suits everyone? > 1. disable frames. Gal=E8ne doesn't create frames. Gal=E8ne's default CSP header forbids in= line Javascript, so even if an attacker somehow manages to get Gal=E8ne to include Javascript code in the DOM, it will be ignored. > 2. limit connect-src to wss: because all traffic must be TLS encrypted. Secure web pages are not allowed to connect to insecure WebSockets, even when the CSP allows it. > 3. tighten resource loading some more just in case some browsers might > not obey default-src 'self'. Are you aware of any such browsers? -- Juliusz