Closed Bug 901810 Opened 11 years ago Closed 11 years ago

Add webrtc to permission table for PeerConnection and underlying UDP socket

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Platform:
Other
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: schien, Assigned: schien)

References

Details

Attachments

(1 file)

WIP - add udp-socket in PermissionTable
1.34 KB, patch
Details | Diff | Splinter Review
We need a permission check for using UDP socket in WebRTC.
Assignee: nobody → schien
Attachment #786110 - Flags: feedback?(fabrice)
Comment on attachment 786110 [details] [diff] [review] WIP - add udp-socket in PermissionTable Review of attachment 786110 [details] [diff] [review]: ----------------------------------------------------------------- That's not clear to me why we need that as an independent permission. If we have a "webrtc" permission we should rather use an "additional" property like https://mxr.mozilla.org/mozilla-central/source/dom/apps/src/PermissionsTable.jsm#141
Attachment #786110 - Flags: feedback?(fabrice)
nsUDPSocket is not only been used by WebRTC but also for mozUDPSocket in bug 745283, do you suggest that we have two difference permission for WebRTC and mozUDPSocket?
Currently in bug 853356 only define the permission prompt for gUM, however, we should also have a permission prompt for PeerConnection since it will create sockets to an address user might not be aware. Depending on the permission check of gUM is not sufficient because a malicious script can get MediaStream from <audio>, add it to PeerConnection, and then create DataChannel to transmit arbitrary text/blob to an endpoint without getting noticed. So, I suggest to add another permission prompt for WebRTC. @fabrice and @ladamski, how do you think?
Flags: needinfo?(ladamski)
Flags: needinfo?(fabrice)
QA Contact: jsmith
Summary: Add udp-socket to permission table → Add webrtc to permission table for PeerConnection and underlying UDP socket
Prompts and permissions are not quite the same thing. The problem with prompting the user for permission is that the user should be reasonably capable of understanding the question the permission prompt is asking. In the examples of camera or contacts, the user has some idea of what the content is asking for. I don't think any user will understand the risks around UDP sockets. Adding Jonas here for more insight.
Flags: needinfo?(ladamski)
Aside from the question of the user's informed consent, we send STUN checks prior to sending any other data and we only send data once the STUN checks have completed. That's why IETF/W3C decided that it wasn't necessary to have a permissions prompt prior to use of a PeerConnection. The same analysis seems to apply here. SC: I'm not following the threat you're describing. We're not generally trying to stop people from transmitting data. The intent is to avoid use of people's cameras and microphones as well as to stop transmission of data to unconsenting recipients. Does the example you suggest in c4 violate that?
QA Contact: jsmith
(In reply to Eric Rescorla (:ekr) from comment #6) > > SC: I'm not following the threat you're describing. We're not generally > trying to stop people from transmitting data. The intent is to avoid use of > people's cameras and microphones as well as to stop transmission of data to > unconsenting recipients. Does the example you suggest in c4 violate that? I agree. Can we get feedback from security people?
Flags: needinfo?(fabrice) → needinfo?(ptheriault)
From a threats perspective there is already nothing stopping an app from sending arbitrary data to any origin via a number of ways (xhr, image, websockets etc). The logic in comment 6 sounds right to me - and given there is no prompt for this API on desktop, it doesn't seem like there should be one for Firefox OS. I am assuming that we also prevent pages from making UDP connections to localhost (i.e. protect local UDP services, e.g. push message listener, from malicious web pages).
Flags: needinfo?(ptheriault)
After discussing with @pauljt, WebRTC doesn't need permission for using UDP socket. The permission check is only need if we expose UDP socket to Web API, i.e. mozUDPSocket. So, I'm going to remove the permission check from the patch for bug 869869 and set this bug as WONTFIX.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: