WebRTC RTCDataChannel can be used for exfiltration #92

Open
annevk opened this Issue Jun 18, 2016 · 3 comments

Projects

None yet

4 participants

@annevk
Member
annevk commented Jun 18, 2016

Since it does not go through Fetch, none of the security policies are applied to it. Seems wrong. Not entirely sure where the best general place would be to address this; filing this as a start.

@ekr
ekr commented Jun 18, 2016

I agree that this isn't ideal.

ISTM that it might be easiest to just have a "no-webrtc" directive, rather than trying to have fine-grained filters.

@mikewest mikewest added this to the CSP3 CR milestone Sep 2, 2016
@mikewest
Member
mikewest commented Sep 2, 2016
  1. Conceptually, it seems like this ought to be governed by connect-src.
  2. Feature Policy aims to provide an on/off toggle of the form that @ekr suggests; maybe that's enough, if it turns out that back-compat stops us from implementing existing restrictions.
@gorhill
gorhill commented Dec 5, 2016 edited

More and more sites are (ab)using WebRTC to pull data from remote servers through browsers with no obvious way for users to be informed about such connections to remote servers, and no mean to prevent these connections from happening on a per-site basis. I observe that such use is spreading fast. Example:

a

A no-webrtc directive would solve this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment