finnn

They says "secure" but it's trusting the website to not deliver malicious JS. Also trusting the numerous third party domains that javascript is included from (and if you block them the entire thing breaks).

mike-cardwell

Yeah. It's "secure" as long as none of Filecha, Cloudfare, Google, Facebook, jQuery or Akamai get hacked, compromised or coerced.

There's no reason he can't host all of these javascript resources on the same domain, substantially reducing the attack surface area.

I know people like to use CDNs and third party hosted analytics software, but can we at least come to the compromise that if you're going to say your app is "secure" or "private", that you at least attempt to host what you can on your own domain...

[edit] I'm probably being unfair. He makes the code available so you can host it yourself. I'm sure most people who install it will leave the CDNs in place though.

finnn

You're not being unfair at all, IMO. The instance he hosts says secure, yet it includes lots of 3rd party resources, and of course you're still trusting his server every time you run it.

Abundnce10

> you're still trusting his server every time you run it.

Is there any way to initiate transfers between two browsers over WebRTC without the use of a server?

explorigin
Yes, but that's not the point here. The point is getting the code that knows what to do with the WebRTC connection.

Since you asked: https://github.com/cjb/serverless-webrtc/