Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP-like mechanism for disabling RTCPeerConnection API? #2619

Closed
zenhack opened this issue Dec 18, 2020 · 2 comments
Closed

CSP-like mechanism for disabling RTCPeerConnection API? #2619

zenhack opened this issue Dec 18, 2020 · 2 comments

Comments

@zenhack
Copy link

zenhack commented Dec 18, 2020
edited
Loading

Hi everyone,

Apologies in advance if this is the wrong place to start this discussion (if so, I would appreciate being pointed in the right direction).

Background: I contribute to Sandstorm (https://github.com/sandstorm-io/sandstorm), a platform for self-hosting web applications, which as part of its security model wants to prevent applications from "phoning home," giving its users privacy from the apps' developers. There are a few loose ends to tie up before it can actually do that by default, most of which we have a plan for and just need to do the work, but WebRTC presents a vector for leaking information that I don't think we can solve without browser modifications, so I wanted to get a discussion going re: whether we can move the standard in a direction that accommodates our use case.

Per the spec:

https://www.w3.org/TR/webrtc/#privacy-and-security-considerations

...the webrtc threat model assumes it's ok for the page to communicate with whoever it wants -- after all, it can already communicate with the server, so there's not much point in trying to block other connections, as the server could just proxy or the like.

But this runs counter to the Sandstorm model, where the server is running in a sandboxed environment where by default it does not have network access -- and thus cannot relay information to the developer on behalf of the client.

We use Content-Security-Policy to block most other mechanisms for communicating with the outside world from the browser, but as far as I can tell there's no way for a server to tell the browser "don't let this page use RTCPeerConnection." I'd like to propose adding a mechanism along those lines.

Are others open to a mechanism along these lines?

(There are some other things I'd like to see in the API to help make writing Sandstorm apps that actually have use for webrtc features easier, but those should probably be treated as separate issues).
@dontcallmedom
Copy link
Member

linking to previous discussions on the topic w3c/webappsec-csp#92 w3c/webappsec-csp#287

@zenhack
Copy link
Author

zenhack commented Dec 18, 2020

Thanks for the pointers. I commented on the latter, I'll close this in favor of further discussion there.

@zenhack zenhack closed this as completed Dec 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dontcallmedom @zenhack