Confirm
325
edits
Changes
Initial creation
This page gathers information related to privacy in WebRTC. This is a Work-In-Progress and more categories need to be added.
Note: this page is for documenting options, not for discussion.
==Address leakage and VPNs==
===Prefs that control ICE Candidate generation===
All of these can be set from about:config, or controlled via an extension
* '''media.peerconnection.ice.force_interface''' -- string (default "") -- interface name to match for ICE (Firefox 43, uplift requested for 42 and 41)
** If set, and there is no interface that matches exactly, '''NO''' candidates will be generated
** If set and there is a match, that interface will be used solely for ICE. Local (LAN) and external IP addresses for that interface will be used for ICE candidates. This can be pointed at a single external interface to hide/ignore internal (VM) interfaces, unconnected interfaces or VPNs (e.g. work VPNs). It can also be set to a VPN interface, and then ICE will only use the VPN (and if the VPN is down, ICE will fail).
* '''media.peerconnection.ice.relay_only''' - boolean (default false) -- only generate relay (TURN) candidates for ICE (Firefox 42, uplift requested for 41)
** This can be used to block all local (LAN) and external IP addresses from being generated as candidates.
** An example use-case would be avoiding exposing your external IP address to a caller (such as when avoiding disclosing you're in town Xxxxx when having a call with someone you have a protection order against; roughly the equivalent of blocking outgoing caller-id on the PSTN bug *-whatever)
** NOTE: does not hide your external IP address from the TURN server itself.
* '''media.peerconnection.use_document_iceservers''' -- boolean (default true) -- use STUN/TURN servers provided by the page (all recent Firefox versions)
** If set to false and '''media.peerconnection.default_iceservers''' is set to the server(s) you want to use, only those servers will be used, and no server provided by the page will be used.
** This can be useful for corporate 'gateway' TURN servers, or for a TURN server hosted by a VPN provider.
* '''media.peerconnection.ice.default_address_only''' -- boolean (default false) -- limit ICE candidates to the default interface only (Firefox 43, uplift requested for 42)
** The default interface used for general routing is identified and only that address is used for candidate generation
** LAN IP addresses are not generated, the external IP address for that interface is (for a VPN, the exit portal of the VPN)
** If your router does not support 'hairpinning', a within-LAN call will end up being routed through an external TURN server
** '''NOT supported with e10s yet''' (see {{bug|1194259}})
* '''media.peerconnection.enabled''' -- boolean (default true) -- enables/disabled ability to create RTCPeerConnection objects (all recent Firefox versions)
===Hooks to control access to createOffer/createAnswer===
Firefox 43 (uplift requested to 42) supports hooks that allow an extension to allow or deny calls to createOffer and createAnswer.
<nowiki>
// Add-ons can override stock permission behavior by doing:
//
// var stockObserve = WebrtcUI.observe;
//
// webrtcUI.observe = function(aSubject, aTopic, aData) {
// switch (aTopic) {
// case "PeerConnection:request": {
// // new code.
// break;
// ...
// default:
// return stockObserve.call(this, aSubject, aTopic, aData);
//
// See browser/modules/webrtcUI.jsm for detail</nowiki>
Example extension: http://hancke.name/tmp/verhueterli.xpi (source: https://github.com/fippo/plumber). Note: unsigned extensions require flipping a pref to use (and can't be used in Beta 41).
Note: this page is for documenting options, not for discussion.
==Address leakage and VPNs==
===Prefs that control ICE Candidate generation===
All of these can be set from about:config, or controlled via an extension
* '''media.peerconnection.ice.force_interface''' -- string (default "") -- interface name to match for ICE (Firefox 43, uplift requested for 42 and 41)
** If set, and there is no interface that matches exactly, '''NO''' candidates will be generated
** If set and there is a match, that interface will be used solely for ICE. Local (LAN) and external IP addresses for that interface will be used for ICE candidates. This can be pointed at a single external interface to hide/ignore internal (VM) interfaces, unconnected interfaces or VPNs (e.g. work VPNs). It can also be set to a VPN interface, and then ICE will only use the VPN (and if the VPN is down, ICE will fail).
* '''media.peerconnection.ice.relay_only''' - boolean (default false) -- only generate relay (TURN) candidates for ICE (Firefox 42, uplift requested for 41)
** This can be used to block all local (LAN) and external IP addresses from being generated as candidates.
** An example use-case would be avoiding exposing your external IP address to a caller (such as when avoiding disclosing you're in town Xxxxx when having a call with someone you have a protection order against; roughly the equivalent of blocking outgoing caller-id on the PSTN bug *-whatever)
** NOTE: does not hide your external IP address from the TURN server itself.
* '''media.peerconnection.use_document_iceservers''' -- boolean (default true) -- use STUN/TURN servers provided by the page (all recent Firefox versions)
** If set to false and '''media.peerconnection.default_iceservers''' is set to the server(s) you want to use, only those servers will be used, and no server provided by the page will be used.
** This can be useful for corporate 'gateway' TURN servers, or for a TURN server hosted by a VPN provider.
* '''media.peerconnection.ice.default_address_only''' -- boolean (default false) -- limit ICE candidates to the default interface only (Firefox 43, uplift requested for 42)
** The default interface used for general routing is identified and only that address is used for candidate generation
** LAN IP addresses are not generated, the external IP address for that interface is (for a VPN, the exit portal of the VPN)
** If your router does not support 'hairpinning', a within-LAN call will end up being routed through an external TURN server
** '''NOT supported with e10s yet''' (see {{bug|1194259}})
* '''media.peerconnection.enabled''' -- boolean (default true) -- enables/disabled ability to create RTCPeerConnection objects (all recent Firefox versions)
===Hooks to control access to createOffer/createAnswer===
Firefox 43 (uplift requested to 42) supports hooks that allow an extension to allow or deny calls to createOffer and createAnswer.
<nowiki>
// Add-ons can override stock permission behavior by doing:
//
// var stockObserve = WebrtcUI.observe;
//
// webrtcUI.observe = function(aSubject, aTopic, aData) {
// switch (aTopic) {
// case "PeerConnection:request": {
// // new code.
// break;
// ...
// default:
// return stockObserve.call(this, aSubject, aTopic, aData);
//
// See browser/modules/webrtcUI.jsm for detail</nowiki>
Example extension: http://hancke.name/tmp/verhueterli.xpi (source: https://github.com/fippo/plumber). Note: unsigned extensions require flipping a pref to use (and can't be used in Beta 41).
