Connections to HTTP, HTTPS or FTP servers on ports 5060 or 5061 will fail. This is a mitigation for the slipstream attack: https://samy.pl/slipstream/. It helps developers by keeping the web platform safe for users.
The Slipstream attack is a kind of cross-protocol request forgery which permits malicious internet servers to attack computers on a private network behind a NAT device. The attack depends on being able to send traffic on port 5060 (SIP). As a mitigation to protect users, this change will prevent connections on port 5060. To be on the safe side, and to align with other browsers, it also blocks port 5061 (SIP over TLS).
Status in Chromium
Enabled by default (tracking bug) in:
- Chrome for desktop release 87
- Chrome for Android release 87
- Android WebView release 87
Consensus & Standardization
Last updated on 2021-01-13