[RTW] New draft on WebRTC API draft-jennings-rtcweb-api

Cullen Jennings fluffy at cisco.com
Tue Mar 22 04:28:00 CET 2011 

I should have a REF for CORS to http://www.w3.org/TR/cors/

Let me over simplify CORS and explain the part that is key here - note this explication is not exactly accurate but it is close enough to the the key idea. The idea with HTTP, is that say a java script program in a page downloaded from X wants to send an HTTP request to Y. What happens is first the browser sends an OPTION request to Y. The javascript had no control over anything in the options request so it is hard to mount a useful attack on Y this way. In the response to the options, Y says if it is willing to accept HTTP request from the something that had origin of X. If Y is will to receive traffic from something that originated from X, then the browser sends the request from the javascript over to Y. 

The idea here is to do the same thing with SIP. Before the browser would send a SIP request that the browser applications wanted sent, the browser would send a SIP OPTIONS request and the SIP server would authorize future requests or not. The same headers used for CORS in HTTP could be used in SIP. It would be a pretty simple mapping. The nice part form my point of view is that the security properties of it are very close to the security properties of CORS. CORS is widely deploying so I don't see a security problems with this widely deploying. 


On Mar 11, 2011, at 10:19 AM, Bernard Aboba wrote:

> Section 1.3.3 states:
> 
>    The security issue of a browser sending a SIP packet to a device that
>    does not meet the same origin policy is discussed in the section XXX,
>    but the brief preview of the solution is that the SIP messages can
> 
> 
>    use CORS REF much like a HTTP does.
> 
> 
> 
> Can you elaborate?  Unlike the media authorization discussion (where a STUN exchange is used to authorize media exchange), it isn't clear to me how authorization works here.
> 
> On Thu, Mar 10, 2011 at 12:20 PM, Cullen Jennings <fluffy at cisco.com> wrote:
> 
> I wrote up the start of a draft on requirements and a sketch of an API proposal. It is at
> 
> http://tools.ietf.org/html/draft-jennings-rtcweb-api-00
> 
> I view this as very early but starts to list some of the issues and an evolving sketch of how the API might look.
> 
> Cullen
> 
> _______________________________________________
> RTC-Web mailing list
> RTC-Web at alvestrand.no
> http://www.alvestrand.no/mailman/listinfo/rtc-web
> 
> _______________________________________________
> RTC-Web mailing list
> RTC-Web at alvestrand.no
> http://www.alvestrand.no/mailman/listinfo/rtc-web

More information about the RTC-Web mailing list