Intent to Implement and Ship: Block HTTP ports 5060 and 5061

254 views
Skip to first unread message

Adam Rice

unread,
Nov 10, 2020, 1:46:35 AM11/10/20
to blink-dev

Contact emails

ri...@chromium.org

Explainer

None

Specification

https://fetch.spec.whatwg.org/#bad-port

Summary

Connections to HTTP, HTTPS or FTP servers on ports 5060 or 5061 will fail. This is a mitigation for the slipstream attack: https://samy.pl/slipstream/. It helps developers by keeping the web platform safe for users.



Blink component

Internals>Network

TAG review

No TAG review as this is an urgent security mitigation.

TAG review status

Not applicable

Risks



Interoperability and Compatibility

Safari, Firefox and Chrome have coordinated to fix this issue, so interoperability risk is small. Existing web servers on ports 5060 and 5061 will no longer be accessible. Since it is not common practice to run servers on these ports, the impact is expected to be small.



Gecko: Shipped/Shipping (https://bugzilla.mozilla.org/show_bug.cgi?id=1674735)

WebKit: Shipped/Shipping (https://bugs.webkit.org/show_bug.cgi?id=218557)

Web developers: No signals

Security

This is a mitigation for a known attack. The underlying issue of NAT devices being tricked into creating port forwards cannot be fixed in the browser. WebRTC-related vulnerabilities are being addressed separately.



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes

All Blink platforms use the same network stack where this is implemented.



Is this feature fully tested by web-platform-tests?

Yes

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1145680

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5064283639513088

Yoav Weiss

unread,
Nov 10, 2020, 2:40:46 AM11/10/20
to Adam Rice, blink-dev
LGTM1

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAC_ixdwFas33EZ%2BgNcko-NoQi5aTwEZ-CVJOvb9jKEtC%3D5RR-w%40mail.gmail.com.

Manuel Rego Casasnovas

unread,
Nov 10, 2020, 5:55:45 AM11/10/20
to Yoav Weiss, Adam Rice, blink-dev
LGTM2

On 10/11/2020 08:40, Yoav Weiss wrote:
> LGTM1
>
> On Tue, Nov 10, 2020 at 7:46 AM Adam Rice <ri...@chromium.org
> <mailto:ri...@chromium.org>> wrote:
>
>
> Contact emails
>
>
>
>
> Explainer
>
>
> None
>
>
> Specification
>
>
> https://fetch.spec.whatwg.org/#bad-port
>
>
> Summary
>
>
> Connections to HTTP, HTTPS or FTP servers on ports 5060 or
> 5061 will fail. This is a mitigation for the slipstream
> attack: https://samy.pl/slipstream/. It helps developers by
> keeping the web platform safe for users.
>
>
>
> Blink component
>
>
> Internals>Network
>
>
> Yes
>
>
> Tracking bug
>
>
> https://bugs.chromium.org/p/chromium/issues/detail?id=1145680
>
>
> Link to entry on the Chrome Platform Status
>
>
> https://chromestatus.com/feature/5064283639513088
>
> --
> You received this message because you are subscribed to the Google
> Groups "blink-dev" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to blink-dev+...@chromium.org
>
> --
> You received this message because you are subscribed to the Google
> Groups "blink-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to blink-dev+...@chromium.org
> To view this discussion on the web visit

Daniel Bratell

unread,
Nov 10, 2020, 12:47:55 PM11/10/20
to Manuel Rego Casasnovas, Yoav Weiss, Adam Rice, blink-dev
LGTM3

/Daniel
Reply all
Reply to author
Forward
0 new messages