Re: [webrtc-pc] Add a security/privacy note about remote SDP (#2193)

@fippo 

> "have the users of this API pass large blobs of SDP which they do not understand to the API without validating input"

Even where a user might try to understand SDP from a cursory point of view, by following the links, from, for example, a very basic web search - to the primary source - some of the descriptions of  [`<character>=<value>`](https://en.wikipedia.org/wiki/Session_Description_Protocol#cite_note-1) that a user might encounter at varying sources relevant to what is actually in the `sdp` at Chromium and Firefox could still potentially be outdated, or could change due to the activities of `WebRTC` developers/specification authors.

Consider the `<value>` `goog-remb`. [webrtcHacks](https://webrtchacks.com/wp-content/themes/parament/custom-pages/sdp/68.html) describes the value as 

> _Video > Codec Parameters_
> 
> **a=rtcp-fb:100 goog-remb**
> 
> This parameter is defined in draft-alvestrand-rmcat-remb. It defines the use of an RTCP message for Receiver Estimated Maximum Bitrate. The prefix goog- means that is still something implemented only by Google and non standard. 

The "Internet-Draft" https://tools.ietf.org/html/draft-alvestrand-rmcat-remb-03 itself does not detail why `"goog-remb"` was chosen as the prefix of the extension. Note also that Firefox 69 also contains such a value in `sdp` 

Chromium  `a=rtcp-fb:102 goog-remb`
Firefox `a=rtcp-fb:120 goog-remb`

which appears to indicate that *oogle products are not _now_ the exclusive implementers of that particular extension, or at least Mozilla is now using the value `"goog-remb"`, even if the actual implementation is dissimilar from that of *oogle.




-- 
GitHub Notification of comment by guest271314
Please view or discuss this issue at https://github.com/w3c/webrtc-pc/issues/2193#issuecomment-501928912 using your GitHub account

Received on Friday, 14 June 2019 00:52:59 UTC