![]() ![]() As a potential security issue this should be handled with more urgency, imo. ![]() I've opened an issue about this odd behavior a few weeks ago, but sadly no response so far. Refused to frame '' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'. Jitsi server admins are being forced to compromise on their security policies by changing a strict Content Security Policy directive from "frame-ancestors 'self'" to "frame-ancestors 'self' *.element.io" in order to allow an external domain to frame their jitsi instance! Otherwise Element-Desktop refuses to work with their own jitsi server and throws out the following error message after trying to start a conference (Dev-tools- LOG): This behavior has also a security implication. What I don't understand is: Why is this framing inside an external domain behavior even necessary?īoth Element-Web and Element-Android handle this correctly by framing inside the "preferredDomain"!.The Jitsi domain will appear later in the URL as a configuration parameter.Įlement-Desktop should still be using server for conference calls by simply framing it inside element.io. Note: The widget URL will point to a jitsi.html page hosted by Element. The XMPP server can be provisioned with a single user account to be shared between all jitsi-videobridge instances thatnconnect to it. This appears to work as intended - according to the guide you've mentioned above. With this mode a jitsi-videobridge instance can connect to a set of XMPP servers, and new serversncan be added at runtime.That element-desktop would use my confugred Jitsi server.It has to be done via command line I believe Ive only used it briefly but had to define and create accounts on Prosody (I'm sure there's instructions somewhere on the Gihub pages) If you would rather they did not do that, locking your server down so it either available only on your local network, or else that your firewall only lets in traffic from trusted end points, might be a plan, or you could go down the “Secure Domain” approach of requiring a prosody user’s password before a conference room can be opened. If that is your intention, it probably is not abuse. If you are offering video conferencing services to anyone who can connect to your server, they can use it for any communication - you are not in control of what they say / do on video. ![]() Presumably, it depends on what is meant by “abuse”. On, at 07:53, Matteo Calorio > wrote:Ī collegue of mine asked me: "can anyone use this service… if anyone can start a conference, is it not open to abuse?” I followed the instructions, but then how do I define users allowed to start a conference?Īnd how do they authenticate from the web page? I see a "Login" button, now, under "Profile" section, but it seems id does nothing. Users mailing instructions and other list options: Is this correct? Or do you have experience of some kind of abuse? I replied: "no more than any other website, I think" Ii jitsi-videobridge 953-1 amd64 WebRTC compatible Selective Forwarding Unit (SFU)Ī collegue of mine asked me: "can anyone use this service… if anyone can start a conference, is it not open to abuse?" Ii jitsi-meet-web-config -1 all Configuration for web serving of Jitsi Meet Ii jitsi-meet-web -1 all WebRTC JavaScript video conferences Ii jitsi-meet-prosody -1 all Prosody configuration for Jitsi Meet Ii jitsi-meet -1 all WebRTC JavaScript video conferences I put up a site on a Debian 9.1 system with fail2ban 0.9.6-2 with these packages installed: Jitsi configuration fields before deploying the Jitsi Marketplace app. You can set User/Password to create a room, and once created, others can join the room Jitsi is a series of open source projects that form core tools like Jitsi Meet. If your domain is visible to the web, then yes, anyone could use it
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |