The spec guards against malformed SDP and SDP that violates the spec, but it does not do anything to guarantee that you get the SDP that you expected.
For example, you might offer sendrecv and assume that if the remote endpoint accepts your offer, they will answer with sendrecv. An application that is not prepared for one-way media might be surprised about this.
This is more of a note to users of the APIs than to the browser implementers. Does a security/note in the "Privacy and Security Considerations" section make sense?
Absolutely. Lack of integrity and authentication of the exchanged SDP allows for man-in-the-middle attacks. IMO the weakest point of WebRTC in regards to its end-to-end encryption claim.
the security model of the spec is "have the users of this API pass large blobs of SDP which they do not understand to the API without validating input". I am not sure that a note will help.
Understanding that the content is sensitive does not require understanding the content itself. :slightly_smiling_face:
Most helpful comment
the security model of the spec is "have the users of this API pass large blobs of SDP which they do not understand to the API without validating input". I am not sure that a note will help.