W3C home > Mailing lists > Public > public-webrtc@w3.org > January 2018

Re: webRTC and Content Security Policy connect-src

From: Iñaki Baz Castillo <ibc@aliax.net>
Date: Fri, 12 Jan 2018 13:27:02 +0100
Message-ID: <CALiegfnv3nMZ0OHqEyaVP1kysp6WDFL2Chjp0u1M1e7D6AjwgQ@mail.gmail.com>
To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Cc: T H Panton <thp@westhawk.co.uk>, "public-webrtc@w3.org" <public-webrtc@w3.org>, Cullen Jennings <fluffy@iii.ca>
On 12 January 2018 at 13:06, Sergio Garcia Murillo
<sergio.garcia.murillo@gmail.com> wrote:
> On 12/01/2018 13:01, Iñaki Baz Castillo wrote:
> To summarize: The current issue with ICE Lite is that it's not needed
> for the browser (ICE controlling) to provide the remote with the
> browser *internally* and *dynamically* generated tokens (such as the
> ice-ufrag). With my proposal above, this would change so the JS should
> always signal its local ice-ufrag to the remote (otherwise ICE
> responses would be discarded). And for that, the JS must send it via
> HTTP/WebSocket, so habemus CSP rules to block them.

> As I already pointed out in the issue, it is possible to leak small amounts
> of data just with:
> var pc = new
> RTCPeerConnection({"iceServers":[{"urls":["turn:"],"username":"_all_your_data_belongs_to_us","credential":"."}]});
> pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);

And as I already pointed out, my proposal above was just intended to
make both, Full ICE and ICE Lite, equally safe. :)

Leaking data via TURN credentials is a different subject (not less important).
Received on Friday, 12 January 2018 12:27:46 UTC

This archive was generated by hypermail 2.3.1 : Friday, 12 January 2018 12:27:46 UTC