From 9375e0fcfc31135676a94ba27aefefcab1310b5c Mon Sep 17 00:00:00 2001
From: Ian Denhardt
The {{RTCPeerConnection}}
interface is defined in [[WEBRTC]]. This document extends that interface
- by adding an additional static method.
+ by adding an additional static method, and adding a Content-Security-Policy
+ check to the constructor.
In the Constructor algorithm,
+ add a step right before step 2 saying "Run [[WEBAPPSEC-CSP#should-block-rtc-connection]]
+ on the current global object. Throw a {{NotAllowedError}} if it returns `Blocked`." In the Constructor algorithm,
- add a step right before step 2 saying "Run [[WEBAPPSEC-CSP#should-block-rtc-connection]]
- on the current global object. Throw a {{NotAllowedError}} if it returns `Blocked`." Whenever the RTCPeerConnection constructor
+ algorithm is invoked, run the following steps instead:
+
partial interface RTCPeerConnection {
static sequence<RTCIceServer> getDefaultIceServers();
@@ -139,6 +140,13 @@
Methods
+ Modifications to existing procedures
+
+
From 256fd09f1eae360b9e82ae0244b23e0c061d25c4 Mon Sep 17 00:00:00 2001
From: Ian Denhardt
Methods
Modifications to existing procedures
-
+
+
Whenever the RTCPeerConnection constructor +
Whenever the RTCPeerConnection constructor algorithm is invoked, run the following steps instead:
The {{RTCPeerConnection}} interface is defined in [[WEBRTC]]. This document extends that interface - by adding an additional static method, and adding a Content-Security-Policy - check to the constructor. + by adding an additional static method, and using Content-Security-Policy + for ICE candidate filtering.
partial interface RTCPeerConnection { static sequence<RTCIceServer> getDefaultIceServers(); @@ -143,15 +143,11 @@Methods
Modifications to existing procedures
-Whenever the RTCPeerConnection constructor - algorithm is invoked, run the following steps instead: -
-
- +- If [[WEBAPPSEC-CSP#should-block-rtc-connection]] on the current global object returns "Blocked", - throw a {{SecurityError}}."
-- Return the result of running the original - RTCPeerConnection constructor algorithm.
-Append the following paragraph to the description of + RTCPeerConnection.addIceCandidate:
+ +If [[WEBAPPSEC-CSP#should-block-rtc-connection]] on the current global + object returns "Blocked", all candidates MUST be prohibited.
Append the following paragraph to the description of - RTCPeerConnection.addIceCandidate:
+ addIceCandidate:If [[WEBAPPSEC-CSP#should-block-rtc-connection]] on the current global object returns "Blocked", all candidates MUST be prohibited.
From f4385e606668ecf5047d4afcdb5fb60dc6c3e28d Mon Sep 17 00:00:00 2001 From: Ian DenhardtIf [[WEBAPPSEC-CSP#should-block-rtc-connection]] on the current global - object returns "Blocked", all candidates MUST be prohibited.
+ object returns "Blocked", all candidates MUST be [[WEBRTC#dfn-administratively-prohibited]]Append the following paragraph to the description of addIceCandidate:
-If [[WEBAPPSEC-CSP#should-block-rtc-connection]] on the current global - object returns "Blocked", all candidates MUST be [[WEBRTC#dfn-administratively-prohibited]]
+If + should-block-rtc-connection on the current global object returns + "Blocked", all candidates MUST be + administratively prohibited.
Append the following paragraph to the description of - addIceCandidate:
+Append the following paragraph to the + administratively prohibited + algorithm:
If
should-block-rtc-connection on the current global object returns
From c43451127a31f75325105ddd1c5dc0a5a13ed2ae Mon Sep 17 00:00:00 2001
From: Ian Denhardt
- The {{RTCPeerConnection}}
- interface is defined in [[WEBRTC]]. This document extends that interface
- by adding an additional static method, and using Content-Security-Policy
- for ICE candidate filtering.
+ The {{RTCPeerConnection}} interface is defined in [[WEBRTC]]. This document
+ extends that interface by using Content-Security-Policy for ICE candidate
+ filtering.
Returns a list of ICE servers that are configured into the
- browser. A browser might be configured to use local or private
- STUN or TURN servers. This method allows an application to learn
- about these servers and optionally use them. This list is likely to be persistent and
- is the same across origins. It thus increases the
- fingerprinting surface of the browser. In privacy-sensitive
- contexts, browsers can consider mitigations such as only
- providing this data to whitelisted origins (or not providing it
- at all.) Since the use of this information is left to
- the discretion of application developers, configuring a user
- agent with these defaults does not per se increase a user's
- ability to limit the exposure of their IP addresses. If set, the configured default ICE servers exposed by
- {{RTCPeerConnection/getDefaultIceServers}} on
- {{RTCPeerConnection}} instances provides persistent
- information across time and origins which increases the fingerprinting
- surface of a given browser. {{RTCPeerConnection/getDefaultIceServers()}} was moved from [[WEBRTC]] to
- this extension spec due to lack of support from implementers and
- concerns discussed in webrtc-pc#2023.
{{RTCPeerConnection}} extensions
partial interface RTCPeerConnection {
- static sequence<RTCIceServer> getDefaultIceServers();
-};
- Methods
-
-
- Modifications to existing procedures
From 170f6c17dc80c0a6a1baa5d92fcfa9f6238c9281 Mon Sep 17 00:00:00 2001
From: Ian Denhardt Modifications to existing procedures
administratively prohibited
algorithm:
If
- should-block-rtc-connection on the current global object returns
- "Blocked", all candidates MUST be
+ If
+ should RTC connections be blocked for global? with the
+ [=relevant global object=] of the {{RTCPeerConnection}} object in question
+ returns `"Blocked"`, then all candidates MUST be
administratively prohibited.