Re: [rtcweb] Same location media

Jozsef Vass <jovass@adobe.com> Fri, 21 October 2011 20:29 UTC

Return-Path: <jovass@adobe.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D53F1F0C4B for <rtcweb@ietfa.amsl.com>; Fri, 21 Oct 2011 13:29:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.298
X-Spam-Level:
X-Spam-Status: No, score=-106.298 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id euoes8pu4pBY for <rtcweb@ietfa.amsl.com>; Fri, 21 Oct 2011 13:28:59 -0700 (PDT)
Received: from exprod6og102.obsmtp.com (exprod6og102.obsmtp.com [64.18.1.183]) by ietfa.amsl.com (Postfix) with ESMTP id 9EBF11F0C35 for <rtcweb@ietf.org>; Fri, 21 Oct 2011 13:28:57 -0700 (PDT)
Received: from outbound-smtp-1.corp.adobe.com ([192.150.11.134]) by exprod6ob102.postini.com ([64.18.5.12]) with SMTP; Fri, 21 Oct 2011 13:28:57 PDT
Received: from inner-relay-1.corp.adobe.com ([153.32.1.51]) by outbound-smtp-1.corp.adobe.com (8.12.10/8.12.10) with ESMTP id p9LKRIYE005594; Fri, 21 Oct 2011 13:27:18 -0700 (PDT)
Received: from nacas02.corp.adobe.com (nacas02.corp.adobe.com [10.8.189.100]) by inner-relay-1.corp.adobe.com (8.12.10/8.12.10) with ESMTP id p9LKSr5R024814; Fri, 21 Oct 2011 13:28:53 -0700 (PDT)
Received: from nambx03.corp.adobe.com ([10.8.189.93]) by nacas02.corp.adobe.com ([10.8.189.100]) with mapi; Fri, 21 Oct 2011 13:28:53 -0700
From: Jozsef Vass <jovass@adobe.com>
To: Roman Shpount <roman@telurix.com>, Iñaki Baz Castillo <ibc@aliax.net>
Date: Fri, 21 Oct 2011 13:28:47 -0700
Thread-Topic: [rtcweb] Same location media
Thread-Index: AcyPRS9+XFqEQCpJQ6OzyQUdEjlLIQA6c05Q
Message-ID: <0FEA137C08A9DF4781EEF745038C969430A558E884@nambx03.corp.adobe.com>
References: <CAD5OKxuJi_VS9fRc4P6GN-StWzMhMHAQ2MyO8zJVsMfEeQRftg@mail.gmail.com>
In-Reply-To: <CAD5OKxuJi_VS9fRc4P6GN-StWzMhMHAQ2MyO8zJVsMfEeQRftg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_0FEA137C08A9DF4781EEF745038C969430A558E884nambx03corpad_"
MIME-Version: 1.0
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Same location media
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2011 20:29:00 -0000

As for Flash, I think your are referring to the same origin policy and not media, which is true for all browsers. That means, that http://www.a.com/a.swf cannot load http://www.b.com/data.txt without an explicit permission by a cross-domain policy file.

Jozsef

From: Roman Shpount [mailto:roman@telurix.com]
Sent: Thursday, October 20, 2011 9:27 AM
To: Iñaki Baz Castillo
Cc: rtcweb@ietf.org
Subject: [rtcweb] Same location media

Changing the topic from "A plea for simplicity, marketability..."

On Thu, Oct 20, 2011 at 11:57 AM, Iñaki Baz Castillo <ibc@aliax.net<mailto:ibc@aliax.net>> wrote:
Also you are asuming that the media is sent to the same IP of the web
server (in case a RTCweb scenario does not include user2user calls).
This is a too much simplified scenario, and you miss that a DNS A
record can point to N IP's, and you also miss the case in which the
webserver has an IP different than the media server (regardless they
both are located within the same provider infrastucture). The browser
cannot determine it by itself, so security is always a need, and IMHO
it's a bad idea to allow a very corner case in which such security
could be relaxed.

I am not missing the DNS issues. I wanted to bring this up in my previous email, but did not want to confuse the issue. I don't advocate for this case at all, I just wanted to clarify that "same origin media" does not necessarily mean two phones in the same location and means media going to the same location as JavaScript origination.

Few additional points related to this:

1. This is what Flash is doing now for streaming media. It does not need consent to send media to the same server that sent the flash app.

2. I am not sure we standardized that only IP addresses are allowed in media description.DNS names might still be allowed then this issue will become the issue of doing a literal match.

3. There is still a security issue with ICE: we validate that STUN request can be processed, but not that the media actually should be accepted from this application. In some sense, current Flash cross domain polices are stricter, since they not only validate that media is acceptable at this IP but that it is acceptable from the app served from particular server.

In general, I think this is a good thing if I can get readily available hardware components and connect RTC clients to my existing infrastructure (I do have an JavaScript/HTTP to SIP proxy solution already). If we are not breaking anything by doing this, there might be some benefit for allowing this. But on the other hand, I already got ICE/SRTP to non-ICE/RTP media proxy as well, so if this is not supported I will not suffer much :).

_____________
Roman Shpount