zenhack
commented
2 years ago Status report: having prodded this along for a whole year (!), we've finally agreed on the spec language. See:
I currently have a pr out for the web platform test suite, which will probably require a few rounds of review:
Once those are all settled it needs to actually get implemented in the browsers. Adding support in sandstorm will be trivial.
We're close to closing the client-side loophole, but it's currently not possible to block WebRTC with CSP; that will require changes to web standards (and browsers, obviously). I'm trying to get some discussion going in the w3c about making this happen, it looks like there was some effort in this direction that stalled:
https://github.com/w3c/webappsec-csp/pull/287#issuecomment-748181979