New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WebRTC circumvention #588

Closed
ameshkov opened this Issue Mar 14, 2017 · 7 comments

Comments

Projects
None yet
3 participants
@ameshkov
Member

ameshkov commented Mar 14, 2017

We do take care of it in the standalone programs with $network rules.

Browser extensions cannot do it, so we should figure out another way. For instance, we could override RTCPeerConnection objects, just like what we do for WebSocket.

@BooBerry

This comment has been minimized.

Show comment
Hide comment
@BooBerry

BooBerry Apr 8, 2017

How does uBlock Origin pull it off?

BooBerry commented Apr 8, 2017

How does uBlock Origin pull it off?

@ameshkov

This comment has been minimized.

Show comment
Hide comment
@ameshkov

ameshkov Apr 8, 2017

Member

It does not. uBO (and ABP will also do it soon) used the approach from the comment below. Not the best thing to do as it might break some websites functionality, the desktop programs $network approach is much "cleaner", but I guess there's nothing better we can do in the browser extensions.

Member

ameshkov commented Apr 8, 2017

It does not. uBO (and ABP will also do it soon) used the approach from the comment below. Not the best thing to do as it might break some websites functionality, the desktop programs $network approach is much "cleaner", but I guess there's nothing better we can do in the browser extensions.

@ameshkov

This comment has been minimized.

Show comment
Hide comment
@ameshkov

ameshkov Apr 8, 2017

Member

It seems that the only way is to break WebRTC for the chosen website, and if they are trying to circumvent it with the "frames" approach, block it by using Content-Security-Policy.

The same as what we did with WebSocket issue some time ago.

Member

ameshkov commented Apr 8, 2017

It seems that the only way is to break WebRTC for the chosen website, and if they are trying to circumvent it with the "frames" approach, block it by using Content-Security-Policy.

The same as what we did with WebSocket issue some time ago.

@BooBerry

This comment has been minimized.

Show comment
Hide comment
@BooBerry

BooBerry Apr 9, 2017

It does not

I was going to say, it does too (as an advanced/privacy option)!

Killing WebRTC would be great, especially for those using VPNs (e.g. like I do in a Windows 10 VM and on Arch Linux with the Adguard browser extensions).

BooBerry commented Apr 9, 2017

It does not

I was going to say, it does too (as an advanced/privacy option)!

Killing WebRTC would be great, especially for those using VPNs (e.g. like I do in a Windows 10 VM and on Arch Linux with the Adguard browser extensions).

@ameshkov

This comment has been minimized.

Show comment
Hide comment
@ameshkov

ameshkov Apr 10, 2017

Member

I was going to say, it does too (as an advanced/privacy option)!

Nah, that's tweaking some chrome://flags, it is not the same topic as we discuss here.

Killing WebRTC would be great, especially for those using VPNs (e.g. like I do in a Windows 10 VM and on Arch Linux with the Adguard browser extensions).

Frankly, I am more concerned about the ad reinjection now, there're a lot of websites exploiting webrtc in order to load ads metadata.

Member

ameshkov commented Apr 10, 2017

I was going to say, it does too (as an advanced/privacy option)!

Nah, that's tweaking some chrome://flags, it is not the same topic as we discuss here.

Killing WebRTC would be great, especially for those using VPNs (e.g. like I do in a Windows 10 VM and on Arch Linux with the Adguard browser extensions).

Frankly, I am more concerned about the ad reinjection now, there're a lot of websites exploiting webrtc in order to load ads metadata.

atropnikov added a commit that referenced this issue Apr 11, 2017

atropnikov added a commit that referenced this issue Apr 11, 2017

atropnikov added a commit that referenced this issue Apr 13, 2017

atropnikov added a commit that referenced this issue Apr 17, 2017

atropnikov added a commit that referenced this issue Apr 17, 2017

@ameshkov

This comment has been minimized.

Show comment
Hide comment
@ameshkov

ameshkov Apr 17, 2017

Member

We've just had an interesting discussion about this case with uBO and ABP devs.

@atropnikov please take a look:
gorhill/uBlock#1930 (comment)

It makes sense to implement the proposed way for disabling wrapping right away. Whichever common approach is agreed, we'll be able to reuse the implementation:

@@*$websocket,domain=example.org -- to disable WebSocket wrapper
@@*$webrtc,domain=example.org -- to disable the RTC wrapper

Also, we should come up with something in the desktop programs case. Wrapping RTC does not make much sense there, but we could at least transform $webrtc rules into the $network rules automatically.

Member

ameshkov commented Apr 17, 2017

We've just had an interesting discussion about this case with uBO and ABP devs.

@atropnikov please take a look:
gorhill/uBlock#1930 (comment)

It makes sense to implement the proposed way for disabling wrapping right away. Whichever common approach is agreed, we'll be able to reuse the implementation:

@@*$websocket,domain=example.org -- to disable WebSocket wrapper
@@*$webrtc,domain=example.org -- to disable the RTC wrapper

Also, we should come up with something in the desktop programs case. Wrapping RTC does not make much sense there, but we could at least transform $webrtc rules into the $network rules automatically.

@ameshkov

This comment has been minimized.

Show comment
Hide comment
@ameshkov

ameshkov Apr 18, 2017

Member

A bit more information about it.

Test website:
https://www.merriam-webster.com/

Chromium bug:
https://bugs.chromium.org/p/chromium/issues/detail?id=707683

Discussion about CSP:
w3c/webappsec-csp#92

Member

ameshkov commented Apr 18, 2017

A bit more information about it.

Test website:
https://www.merriam-webster.com/

Chromium bug:
https://bugs.chromium.org/p/chromium/issues/detail?id=707683

Discussion about CSP:
w3c/webappsec-csp#92

atropnikov added a commit that referenced this issue Apr 25, 2017

atropnikov added a commit that referenced this issue May 2, 2017

atropnikov added a commit that referenced this issue May 19, 2017

atropnikov added a commit that referenced this issue May 19, 2017

atropnikov added a commit that referenced this issue May 22, 2017

@ameshkov ameshkov closed this Aug 14, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment