- From: Dominique Hazael-Massieux <dom@w3.org>
- Date: Mon, 17 Aug 2015 14:26:55 +0200
- To: "public-webrtc@w3.org" <public-webrtc@w3.org>
Hi, Back in April, I had tried to list the various mitigation strategies that are available to reduce some of the mis-usage of RTCPeerConnection to obtain information on the local network topology: https://lists.w3.org/Archives/Public/public-webrtc/2015Apr/0131.html While there is still more work needed on the "VPN use case" (where leaking some of the IP addresses of VPN users potentially reveal their true location), I wonder if there is any interest in making it also much less trivial for any random third-party (e.g. ads network) to obtain users local IP addresses which provide increased fingerprinting surface for little benefit. The specific idea I would like to suggest is that content embedded via <iframe> don't get access to the RTCPeerConnection interface unless they are embedded with an "allow-rtcpeerconnection" token in the sandbox attribute. http://www.w3.org/TR/html5/embedded-content-0.html#attr-iframe-sandbox Would there be support for such a proposal? Dom
Received on Monday, 17 August 2015 12:27:03 UTC