Re: [webrtc-extensions] Add a CSP check to RTCPeerConnection.addIceCandidate(). (#81) from Anne van Kesteren via GitHub on 2021-11-22 (public-webrtc-logs@w3.org from November 2021)

From: Anne van Kesteren via GitHub <sysbot+gh@w3.org>
Date: Mon, 22 Nov 2021 10:50:46 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-975395243-1637578244-sysbot+gh@w3.org>

> That being said, IIRC one can still exfiltrate data to arbitrary servers by crafting TURN credentials if that is left open.

Why wouldn't port restrictions apply here?

> Furthermore, I'm almost certain that, due to the complexity of the state machine, implementations would have to place a whole bunch of "WebRTC is turned off" guard checks, so one can interact with the PC state machine safely in the "off" mode.

Can you expand on this? Why would this be different from PC not being able to establish any connection due to them all using blocked ports?

-- 
GitHub Notification of comment by annevk
Please view or discuss this issue at https://github.com/w3c/webrtc-extensions/pull/81#issuecomment-975395243 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 22 November 2021 10:50:48 UTC