Immediately after switching the page, it will work with CSR.
Please reload your browser to see how it works.
My vision of how this should work can be inferred from https://github.com/atomirex/umbrella Essentially in the future wherever we have WiFi APs those should also be media SFUs (and probably MQTT brokers or similar) where each client will only see the AP and things the applications running on the AP have explicitly allowed, including streams piped opaquely from anywhere else.
The idea that being connected to WiFi means ability to see other devices and the public internet needs to stop being the default.
For example, in this case presumably the QA team play in different modes and provide feedback about things which aren't going to work, but that is a very different universe than web or mobile app design.
Right now domestic IoT and Home Assistant are like Windows Mobile and Symbian prior to the iPhone: proof that something interesting and useful is possible in the domain, but requiring an enthusiast level of investment in knowledge and time to maintain and operate.
Were I a billionaire I would be attempting to launch the Android (in the original intended sense) of IoT to solve that.
This is a good example of conflicting security requirements.
Not wanting the video to go to the cloud is fine, but most cameras with RTSP enabled allow any other device on the network to trivially get the camera stream, and sometimes also control the camera. This is why some camera companies require you jump through hoops to unlock RTSP - I don't like it but I can see why they do it.
This is one reason I've come to believe it's necessary that every device must see a totally different network universe from every other, able only to see the local controller server. (This is how I ended up playing with on AP video relays in my profile, as an effort to see what's involved). Things like multicast discovery is cool, but an absolute privacy and security disaster area.