Hello,

in the latest version of the module (2.0.2) I get the following in the dev console:

"Unrecognized Content-Security-Policy directive 'webrtc'."

Per default it's blocked which should be ok, but it seems, the rule might be broken?

Thanks for clearification if it's a bug.

Bye Defcon0

Comments

defcon0 created an issue. See original summary.

gapple’s picture

gapple
he/they
Primary language English
commented
Title: Unrecognized Content-Security-Policy directive 'webrtc'. » Unrecognized Content-Security-Policy directive 'webrtc' in browser console
Status: Active » Closed (works as designed)

The webrtc directive is defined in the CSP spec, but is not yet implemented by all browsers. The message is only displayed in the browser console, and it does not send a violation report if you have configured a reporting option.
https://www.w3.org/TR/CSP3/#directive-webrtc

The module config form defaults to 'block' when enabled, but if the directive is not yet supported by a browser (or not present in the policy), then webrtc connections are allowed by the browser by default (webrtc 'allow' is explicit, but functionally the same as omitting the directive). Nothing you can do about that, but if you're not using webrtc and want browsers to block it when they add support, you can enable the directive with 'block' now.