3. Browser Threat Model

The Web security model [RFC6454] rests on the concept of "origins". Briefly, an origin consists of a tuple of protocol, host, and port; for instance, the origin of https://example.com/ is (https, example.com, 443). (See [RFC6454] for the details). When a browser sends a request to a given origin, it acts on behalf of the principal that initiated the request (e.g., a script from https://trusted.com/). The fundamental security rule of the Web is the Same-Origin Policy (SOP), which states that resources from one origin should not be accessible to scripts from another origin, unless the origin of the resource explicitly opts into such access (e.g., via Cross-Origin Resource Sharing (CORS) [fetch]).

WebRTC introduces a new communication channel for the Web, alongside HTTP (and WebSockets). This channel differs from HTTP in several important ways:

It allows sending arbitrary data (via the DataChannel).
It allows sending media (audio and video).
It generally routes over UDP (though TCP is also supported).
It can be peer-to-peer (P2P), meaning that data goes directly between browsers rather than via a server.

These differences introduce new threats that must be mitigated by the WebRTC architecture.

3.1 New Targets

Because WebRTC allows sending data to arbitrary IP addresses and ports (subject to ICE checks [RFC8445]), malicious scripts could potentially use the user's browser to attack services that are not accessible from the public Internet but are accessible from the user's machine (e.g., intranets, home routers). This is known as the "calling card" attack.

3.2 New Data Types

WebRTC allows sending real-time audio and video. If a malicious site can access the user's camera and microphone without consent, it can spy on the user.

3.3 Denial of Service

Because WebRTC can generate high-bandwidth traffic, it could potentially be used for Denial of Service (DoS) attacks.