[CiPHPerCoder]

> Security : how do you guarantee that a client peer is not tinkering with the code it distributes further?

You could make a system involving digital signatures (EdDSA), but then "how do you trust which public key?" type questions mean this doesn't improve much.

[AgentME]

If I'm understanding this right, you could include the public key in the web page itself, served over HTTPS. There's still a webpage being served from your server. It just delegates most of the resources to be accessed over webrtc.

[abloodywar]

Maybe Subresource Integrity[1] would be of interest.

[1] https://www.w3.org/TR/SRI/