WebRTC can be used to detect your local IP address without any consent, which has led to it being recommended for use cases that have nothing to do with Real-Time Communication (such as being the StackOverflow-accepted way of getting a user's local IP address in a Chrome Extension).
In some browsers, however, local IP addresses are only exposed if camera and/or microphone access has been granted, which gives the user agency over their privacy, but might complicate some legitimate use cases for WebRTC.
Demo website is here. The website asks for permission to access microphone. On Safari, we see that if this permission is denied then the page does not get host IP addresses. However, on Firefox and Chrome, user permission with respect to camera/video does not matter - the page JavaScript can access your private IP address anyway using WebRTC.
All JavaScript is client-side - we do not send your IP address anywhere. The code is open source for your browsing pleasure.
- https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-06
- https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-14
webrtc-privacy is an Open Source project made available by the NetBlocks.org project and contributors under the terms of the MIT license.
Copyright (c) 2018
Licensed under the MIT license.