@@ -10,3 +10,47 @@ to create a `.xdc` file, execute:
1010``` sh
1111./create-xdc.sh
1212```
13+
14+ ## Testing network isolation
15+
16+ <!-- FYI this section is linked to from
17+ https://github.com/deltachat/deltachat-desktop/blob/main/RELEASE.md. -->
18+
19+ To test whether a webxdc runtime implementation (i.e. a messenger) keeps
20+ the [ "apps can't access internet" promise] ( https://delta.chat/en/2023-05-22-webxdc-security#the-unique-privacy-promise-of-web-apps-without-tracking-or-platforms ) ,
21+ one can utilize this app together with [ Wireshark] ( https://www.wireshark.org/ ) .
22+
23+ 1 . Launch Wireshark.
24+ 2 . Start capturing packets on the default "internet" interface.
25+ 3 . Apply the following packet filter:
26+
27+ ``` js
28+ ip .addr == 173.194 .76 .127 ||
29+ ip .addr == 37.218 .242 .41 ||
30+ udp contains " delta" ||
31+ tcp contains " delta"
32+ ```
33+
34+ The first IP is the IP address of a Google STUN server,
35+ used in this app's WebRTC test.
36+ The second IP is the IP address of delta.chat.
37+
38+ 4 . Open the webxdc runtime (i.e. the Delta Chat client)
39+ and launch this webxdc app.
40+ 5 . Scroll down to the [ "DNS Prefetch" section] ( https://github.com/webxdc/webxdc-test/blob/db2796226d420535cb1caf9ba29e7d639e9e01f2/index.html#L67 ) .
41+ 6 . Type in ` foobar.delta.chat ` and press all the 3 buttons in the section.
42+ 7 . Go back to Wireshark and verify that
43+ there are 0 packets that match the filter.
44+
45+ Disclaimer: the fact that a webxdc implementation passed all these tests
46+ doesn't mean that it's fool-proof.
47+
48+ Wireshark is required because this webxdc app
49+ might not always be able to receive data back, and thus detect a leak.
50+ For example, this is the case for the
51+ [ TURN server test] ( ./js/webrtc.js#L27-L36 ) .
52+
53+ As a bonus step, try building Delta Chat with no CSP set for webxdc apps,
54+ and repeating the test.
55+ Still no network activity should occur,
56+ otherwise we're one misstep away from breaking the promise.
0 commit comments