Add a CSP check to RTCPeerConnection.addIceCandidate(). #81
Conversation
Corresponding change to CSP spec: w3c/webappsec-csp#457
|
I would prefer we add this to https://github.com/w3c/webrtc-pc directly. Monkey patching standards tends to lead to problems. |
|
I agree that would be cleaner. I'd gotten the impression somewhere that that document was more set in stone, but if you think it's ok I'll find time to put together a pr in the next couple days. |
@annevk @zenhack Yes, WebRTC is at Recommendation, and this WG is still finding its legs wrt a living spec within the W3C. This PR is a trial-balloon for our new merge guide, and I would say it's not going well, as it looks trivially small, yet missed the cutoff we made for small bug-fixes vs features. cc @alvestrand |
Unless we can get it in under "patch significant security holes in WebRTC"? |
Co-authored-by: Jan-Ivar Bruaroey <jan-ivar@users.noreply.github.com>
|
I have no objection to using the security holes clause to justify merging this directly into |
|
@alvestrand @aboba WDYT? |
|
I'm afraid I have an objection to using the "security hole" merge-fix loophole. Our agreement when we did the merge-guide was that we'd keep the idea that REC documented stuff for which there was consensus agreement and had been implemented in at least 2 browsers. Anything else goes to -extensions. |
index.html
Outdated
| <p>Whenever the <a data-cite="WEBRTC#dom-peerconnection">RTCPeerConnection constructor</a> | ||
| algorithm is invoked, run the following steps instead: | ||
| <ol> | ||
| <li>If [[WEBAPPSEC-CSP#should-block-rtc-connection]] on the current global object returns "Blocked", |
There was a problem hiding this comment.
Query: the constructor steps have a [[DocumentOrigin]] initialized to the relevant settings object's origin. Is "the relevant settings object" the same as "the current global object", or are they different? And if they're different, is this intentional?
There was a problem hiding this comment.
In the context of a constructor this's relevant ... and current ... are identical, though a settings object is different from a global object. https://html.spec.whatwg.org/multipage/webappapis.html#realms-settings-objects-global-objects has a longer explanation on this. Sticking with one pattern is better though, I'd recommend sticking with this's relevant ....
There was a problem hiding this comment.
should-block-rtc-connection says it takes a global object, and it ends up passing that through to create-violation-for-global, so it seems like passing in a settings object is conceptually a type error here, and changing it on the other end would be fairly invasive. But I'm still a little fuzzy on how all these relate, so it's possible I'm missing something.
|
@alvestrand I agree that we cannot add this directly to webrtc-pc due to lack of implementation. So it should live here (with a "feature at risk" note) until it is implemented. |
|
Addressed/replied to all outstanding comments. I believe I still need to sign the ipr commitment for this repo -- I think for webappsec-csp @samuelweiler sent me the relevant form, not sure if someone needs to intervene to send me one for this repo or if it's up somewhere public that I haven't found. |
|
So this makes the constructor throw, which is a bit different from how CSP works with other network APIs. There CSP violations effectively ends up causing a network error. Was that considered here? That might also make this more compatible in the couple cases where it might cause issues in the sense that applications would not end up getting an exception they might not have accounted for, but would rather get network errors they likely deal with already anyway. |
|
My rationale was that putting it here makes everything simpler -- there's one entry point, so this just cuts the whole thing off at the source, which is easier to reason about than if we had to track down all of the places where network activity might happen lazily. Though this opens up the question of what should we do if we find ourselves wanting to add finer-grained permissions? This is perhaps another argument in favor of using Permissions-Policy or such instead of CSP, though that doesn't solve the practical problem of errors where apps don't expect them. |
|
Outstanding issues as I see them:
I'm of the opinion that the additional complexity is not worth it for the error handling consideration alone, but am interested in hearing other perspectives. I don't have a great answer to the evolvability question though. I also am not sure where the check should go if we push it later -- if others have insights please share. My biggest concern with pushing the check later is I want to have a clear story as to how we will have confidence that we haven't missed a spot. |
|
Ping? |
|
Not sold on the idea:
That said, I'm fine with the proposal technically - there are a number of usages of WebRTC that don't involve communication (attempts at inappropriate user tracking, mostly), and I'm not at all unhappy about blocking them rather than waiting until we can signal a "network failure" as a response to an attempt at communication. So I won't block this at all, but I'm somewhat skeptical of it getting through the process and getting deployed. |
This is pretty much mandatory for where Sandstorm wants to go; if I have to I'll send a patch to all three major FOSS browser engines myself, though it would obviously more efficient if someone already familiar with the relevant codebases had the bandwidth. |
|
What's Sandstorm, and where does it want to go? |
|
See #64 (comment) (which was in response to a separate but related issue for which there seems to be a broader interest) |
|
With regards to pushing the check later: #73 is about sharing more infrastructure with Fetch. once we share connection setup infrastructure across all (web platform) specifications, we also have a single point to block them. It would just act as if establishing the connection resulted in failure. |
dontcallmedom
added
the
security-tracker
|
Ack, now that I've actually looked at your pr I understand that your intention was to just fix the issue there; I guess I should back out the change I just made? |
There was a problem hiding this comment.
I hadn't really processed that the definition of administratively prohibited was local to addIceCandidate
That's a mistake in the spec actually, and is issue w3c/webrtc-pc#2675 for which I've provided the PR. With the PR the algorithm is invoked from addIceCandidate, setRemoteDescription and setLocalDescription. The first two matches the reality that web developers who know SDP may provide candidates to the browser through both methods, and SLD is what triggers local gathering.
This had not been rendering properly. No content change.
zenhack
force-pushed
the
csp-integration
branch
from
5cbba4a
to
6511a9d
Compare
...since this may be moved to its own section in the future.
|
OK to merge once w3c/webappsec-csp#457 is merged. |
...as specified in: - w3c/webappsec-csp#457 - w3c/webrtc-extensions#81
* Test webrtc/content-security-policy integration ...as specified in: - w3c/webappsec-csp#457 - w3c/webrtc-extensions#81 * Fix typos in comment. Co-authored-by: Jan-Ivar Bruaroey <jan-ivar@users.noreply.github.com> * Fix ice candidate exchange in CSP webrtc tests. we should be passing each candidate to the *other* pc. Tests now behave as expected. * CSP webrtc tests: listen for connection state change, not gathering. See #32914 (comment) * CSP webrtc tests: drop unnecessary stun server. * webrtc csp: simplify state checking "new" is the initial state. Co-authored-by: Jan-Ivar Bruaroey <jan-ivar@users.noreply.github.com> Co-authored-by: Jan-Ivar Bruaroey <jan-ivar@users.noreply.github.com>
|
Fixed the merge conflicts, and w3c/webappsec-csp#457 has been merged. |
I'd added this back in when fixing merge conflicts, but it's been moved to a different section. This commit fixes it so only the CSP stuff is in this section.
…2914) * Test webrtc/content-security-policy integration ...as specified in: - w3c/webappsec-csp#457 - w3c/webrtc-extensions#81 * Fix typos in comment. Co-authored-by: Jan-Ivar Bruaroey <jan-ivar@users.noreply.github.com> * Fix ice candidate exchange in CSP webrtc tests. we should be passing each candidate to the *other* pc. Tests now behave as expected. * CSP webrtc tests: listen for connection state change, not gathering. See web-platform-tests#32914 (comment) * CSP webrtc tests: drop unnecessary stun server. * webrtc csp: simplify state checking "new" is the initial state. Co-authored-by: Jan-Ivar Bruaroey <jan-ivar@users.noreply.github.com> Co-authored-by: Jan-Ivar Bruaroey <jan-ivar@users.noreply.github.com>
|
Anything still need to happen here? |
…gration, a=testonly Automatic update from web-platform-tests Test webrtc/content-security-policy integration (#32914) * Test webrtc/content-security-policy integration ...as specified in: - w3c/webappsec-csp#457 - w3c/webrtc-extensions#81 * Fix typos in comment. Co-authored-by: Jan-Ivar Bruaroey <jan-ivar@users.noreply.github.com> * Fix ice candidate exchange in CSP webrtc tests. we should be passing each candidate to the *other* pc. Tests now behave as expected. * CSP webrtc tests: listen for connection state change, not gathering. See web-platform-tests/wpt#32914 (comment) * CSP webrtc tests: drop unnecessary stun server. * webrtc csp: simplify state checking "new" is the initial state. Co-authored-by: Jan-Ivar Bruaroey <jan-ivar@users.noreply.github.com> Co-authored-by: Jan-Ivar Bruaroey <jan-ivar@users.noreply.github.com> -- wpt-commits: 0abba58602758eb8be11c38788c6f51fed2529e4 wpt-pr: 32914
|
@jan-ivar, ping? |
…gration, a=testonly Automatic update from web-platform-tests Test webrtc/content-security-policy integration (#32914) * Test webrtc/content-security-policy integration ...as specified in: - w3c/webappsec-csp#457 - w3c/webrtc-extensions#81 * Fix typos in comment. Co-authored-by: Jan-Ivar Bruaroey <jan-ivar@users.noreply.github.com> * Fix ice candidate exchange in CSP webrtc tests. we should be passing each candidate to the *other* pc. Tests now behave as expected. * CSP webrtc tests: listen for connection state change, not gathering. See web-platform-tests/wpt#32914 (comment) * CSP webrtc tests: drop unnecessary stun server. * webrtc csp: simplify state checking "new" is the initial state. Co-authored-by: Jan-Ivar Bruaroey <jan-ivar@users.noreply.github.com> Co-authored-by: Jan-Ivar Bruaroey <jan-ivar@users.noreply.github.com> -- wpt-commits: 0abba58602758eb8be11c38788c6f51fed2529e4 wpt-pr: 32914
|
I think somebody just needs to push the button... |
Co-authored-by: Jan-Ivar Bruaroey <jan-ivar@users.noreply.github.com>
|
Merged the change. The link looks right now, though the doc it's pointing to seems to be a version of the doc that doesn't have that section updated. LGTM though. |
|
Checks seem to be failing over |
Corresponding change to CSP spec:
w3c/webappsec-csp#457
I'm like 90% sure I've botched the formatting here in one way or another; I still haven't totally gotten my head around how links are generated in these docs, and it seems like there's a bit of inconsistency in how docs are built from spec to spec... so let me know if something's broken...
I'm also a little fuzzy on how the CSP doc should refer to this; right now it links to the constructor section in WebRTC 1.0, but of course this step isn't there, so maybe it should link to the extensions instead?
cc: @annevk, @jan-ivar
Preview | Diff
Preview | Diff