CSP: block WebRTC #479
Closed
CSP: block WebRTC #479
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Is it implemented by any browsers yet? |
|
Not yet, unfortunately. I expect Chromium will implement this. I think it'll be an important directive since WebRTC does not go through Fetch. Closing this loophole was one of the most demanded CSP features in the past. |
|
Upon further inspection: Permissions-Policy can already block WebRTC.
I'll ask some webappsec folks about the logic behind adding the CSP
directive in light of Permissions-Policy and report back.
|
|
It looks like this is unnecessary, given that the Permissions-Policy already blocks WebRTC. |
|
I don't think there's a Permissions-Policy setting for WebRTC itself. |
|
w3c/webappsec-permissions-policy#250 This issue seems to indicate that there is no webrtc Permissions-Policy |
|
[@]dveditz:mozilla.org shared some info from the `#security:mozilla.org` Matrix room:
found the difference -- Permission-policy controls things that request permissions, so it covers the camera and microphone getUserMedia() requests used in WebRTC. That doesn't prevent the connections though so that's why people want to add webrtc to CSP. That's a fairly recent addition (it's in the editor's draft, but not in the year-old published working draft) and may or may not be the best place to restrict it.
Some of the https:// fetches (to get peer info from an ICE server, for example) might get blocked by connect-src, though it's not very clear to me which circumstances do or don't in the Firefox implementation at a fairly quick look. The DTLS communication is definitely not covered by fetch-centric CSP without something like this new proposal.
Direct link: https://matrix.to/#/!anEyEXBYVSlveMBsbt:mozilla.org/$8cPpnG-rvikEOwSTRVY-v_C-msCIQKaDZY2egDRy86Q?via=mozilla.org&via=matrix.org&via=kde.org
Honestly, I think that simply blocking JS from the subset of pages that don't need it would be a much more robust solution in the meantime.
|
thestinger
force-pushed
the
main
branch
10 times, most recently
from
f68494a
to
b0b84a0
Compare
thestinger
force-pushed
the
main
branch
2 times, most recently
from
c6701d3
to
66132ef
Compare
|
@Seirdy We had to rebase the repository to fix some commit messages for a legal reason. Can you rebase this? |
Merged to the webappsec-csp repo in April: w3c/webappsec-csp#457
|
On Fri, Aug 12, 2022 at 07:34:15AM -0700, terezipyrope wrote:
w3c/webappsec-permissions-policy#250
This issue seems to indicate that there is no webrtc Permissions-Policy
Ah, I missed that. A full list of all implemented PP directives are in https://chromedevtools.github.io/devtools-protocol/tot/Page/#type-PermissionsPolicyFeature.
(side-note: hot damn this header is massive...almost 1.4kb just to opt-out of everything).
|
thestinger
force-pushed
the
main
branch
2 times, most recently
from
8faae51
to
35468ab
Compare
thestinger
force-pushed
the
main
branch
10 times, most recently
from
c70441d
to
fcbce2d
Compare
thestinger
force-pushed
the
main
branch
2 times, most recently
from
dea31f5
to
d7eacfb
Compare
thestinger
force-pushed
the
main
branch
3 times, most recently
from
6ca4922
to
14ce3de
Compare
thestinger
force-pushed
the
main
branch
4 times, most recently
from
283f8fe
to
85afa18
Compare
thestinger
force-pushed
the
main
branch
4 times, most recently
from
beaf7c9
to
6ae13d7
Compare
thestinger
force-pushed
the
main
branch
5 times, most recently
from
4b05c91
to
65ced09
Compare
|
This is implemented now. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merged to the webappsec-csp repo in April:
w3c/webappsec-csp#457