PSA: restrictions to ice-ufrag and ice-pwd syntax

Skip to first unread message

Philipp Hancke

Feb 21, 2020, 8:58:05 AM2/21/20
If you encounter the following error please read this message in full. This should only happen when talking to non-browser endpoints in Chrome 81 (beta):
Failed to execute 'setRemoteDescription' on 'RTCPeerConnection': Failed to set remote offer sdp: Failed to apply the description for video:
Invalid ICE parameters: ICE ufrag must contain only alphanumeric characters, '+', and '/'.
(there is a similar variant for ice-pwd)

In the past the parsing of the ice-ufrag and ice-pwd attributes in the SDP has been relatively liberal and allowed a bunch of characters that were not allowed by the specification
RFC 5245 defines ice-ufrag and ice-pwd as follows in
   ice-pwd-att           = "ice-pwd" ":" password
   ice-ufrag-att         = "ice-ufrag" ":" ufrag
   password              = 22*256ice-char
   ufrag                 = 4*256ice-char
with ice-char being defined as
ALPHA / DIGIT / "+" / "/"
so basically alphanumeric characters, "+" and "/" (which is what the commit message says).
Recently I found a creative way to put some potentially harmful stuff there. I'll go into details some day ;-)

As a mitigation,
started enforcing the definition from the spec. We've recently been notified that this also breaks when including a "-":
My servers broke on the next chrome unstable nightly test because I included a "=". Whoops.
While spec-compliance is a great goal, breaking stuff without announcements is not cool so we're temporarily allowing "-" and "=" despite not being allowed by the specification.

The Google folks have said that they intend to merge the more lenient rules to Chrome 81 which is where the restrictions are going to ship as well. According to the chrome release calendar this is going to ship mid-march:
If this still breaks for you and you need more time: please holler. Here, in the bug or reach out in another way.

Please note that "-" and "/" will be rejected again at some point in the future. Please verify your implementations do the correct thing.

very sad about no longer ebing allowed to include the snowman emoji in the SDP

Roman Shpount

Feb 21, 2020, 10:20:19 AM2/21/20
to discuss-webrtc
I assume you mean

Please note that "-" and "=" will be rejected again at some point in the future.


Philipp Hancke

Feb 21, 2020, 10:54:25 AM2/21/20
Good catch, thank you Roman!


You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit

Philipp Hancke

Feb 25, 2020, 12:06:19 PM2/25/20
add "#" and "_" to the list of temporarily allowed characters (those haven't rolled into chrome yet).

Philipp Hancke

Mar 26, 2020, 12:52:43 PM3/26/20
reminder: this is still going to ship in M81, even though a tad later according to
Reply all
Reply to author
0 new messages