Hi, Back in April, I had tried to list the various mitigation strategies that are available to reduce some of the mis-usage of RTCPeerConnection to obtain information on the local network topology: https://lists.w3.org/Archives/Public/public-webrtc/2015Apr/0131.html While there is still more work needed on the "VPN use case" (where leaking some of the IP addresses of VPN users potentially reveal their true location), I wonder if there is any interest in making it also much less trivial for any random third-party (e.g. ads network) to obtain users local IP addresses which provide increased fingerprinting surface for little benefit. The specific idea I would like to suggest is that content embedded via <iframe> don't get access to the RTCPeerConnection interface unless they are embedded with an "allow-rtcpeerconnection" token in the sandbox attribute. http://www.w3.org/TR/html5/embedded-content-0.html#attr-iframe-sandbox Would there be support for such a proposal? DomReceived on Monday, 17 August 2015 12:27:03 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:18:08 UTC