This forces all WebRTC connections to only use server-reflexive and relay ICE candidates, and only on the default IP route. While this may cause a QoS hit (two users behind NAT can no longer keep their traffic internal to the NAT), it does allow the issue mentioned here to be fully addressed without disabling WebRTC altogether.
Thanks very much for your reply. I've been trying to enable the preference in Google Chrome Canary on Mac OSX. However, I haven't been able to successfully block the IP leak - I suspect because I haven't configured it correctly. I had to manually create the file "/Library/Google/Google Chrome Master Preferences" and add the setting you suggested. I then reinstalled Chrome Canary and tested but no effect. I also tried editing the user preferences file in ~/Library/Application\ Support/Google/Chrome\ Canary/Default/Preference but that seems to be overwritten by the browser. How should I be configuring this preference? Thanks again.
That doesn't necessarily mean they need to be sent to the server. The two browsers on the same LAN could coordinate via local discovery, establish a socket between themselves, hand that socket to WebRTC, and never tell the two applications running in the browser sandbox what local LAN IPs they use.
One example would be if you happened to use WebRTC with two peers on the same VPN.