W3C home > Mailing lists > Public > public-webrtc@w3.org > August 2015

Sandboxing usage of RTCPeerConnection?

From: Dominique Hazael-Massieux <dom@w3.org>
Date: Mon, 17 Aug 2015 14:26:55 +0200
Message-ID: <55D1D30F.4070508@w3.org>
To: "public-webrtc@w3.org" <public-webrtc@w3.org>
Hi,

Back in April, I had tried to list the various mitigation strategies 
that are available to reduce some of the mis-usage of RTCPeerConnection 
to obtain information on the local network topology:
https://lists.w3.org/Archives/Public/public-webrtc/2015Apr/0131.html

While there is still more work needed on the "VPN use case" (where 
leaking some of the IP addresses of VPN users potentially reveal their 
true location), I wonder if there is any interest in making it also much 
less trivial for any random third-party (e.g. ads network) to obtain 
users local IP addresses which provide increased fingerprinting surface 
for little benefit.

The specific idea I would like to suggest is that content embedded via 
<iframe> don't get access to the RTCPeerConnection interface unless they 
are embedded with an "allow-rtcpeerconnection" token in the sandbox 
attribute.
http://www.w3.org/TR/html5/embedded-content-0.html#attr-iframe-sandbox

Would there be support for such a proposal?

Dom
Received on Monday, 17 August 2015 12:27:03 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:45 UTC