Connections to HTTP, HTTPS or FTP servers on ports 5060 or 5061 will fail. This is a mitigation for the slipstream attack: https://samy.pl/slipstream/. It helps developers by keeping the web platform safe for users.

Motivation

The Slipstream attack is a kind of cross-protocol request forgery which permits malicious internet servers to attack computers on a private network behind a NAT device. The attack depends on being able to send traffic on port 5060 (SIP). As a mitigation to protect users, this change will prevent connections on port 5060. To be on the safe side, and to align with other browsers, it also blocks port 5061 (SIP over TLS).

Specification

Specification link

Status: Specification being incubated in a Community Group

Status in Chromium

Blink components: Internals>Network

Implementation status: Enabled by default (tracking bug)

Consensus & Standardization

• Firefox: Shipped/Shipping
• Safari: Shipped/Shipping
• Web Developers: No signals

Owner

• ricea@chromium.org

Comments

HTTP servers using port 5060 or port 5061 will be inaccessible. They will have to be modified to run on different ports, and all referring urls updated. Legitimate use of these ports for HTTP servers is believed to be rare. Many existing ports are blocked as mitigations for security issues, so this is not a novel approach. See the spec link https://fetch.spec.whatwg.org/#bad-port for the standard list.

Last updated on 2022-01-14