Re: Reducing reporting noise

Thanks Glenn!

On Wed, Jun 25, 2014 at 12:14 AM, Glenn Adams <> wrote:

> On Fri, Jun 20, 2014 at 7:58 AM, Glenn Adams <> wrote:
>> On Fri, Jun 20, 2014 at 2:24 AM, Mike West <> wrote:
>>> Any plans to share this specification? I assume it's the same non-public
>>> spec that you've mentioned before? :)
>> DLNA has very recently made their specifications ("guidelines") available
>> to non-members at [1]. The specific guideline I refer to is the CVP-2
>> device profile found in Part 5: Device Profiles. However, the requirement I
>> refer to below regarding CSP is in the process of being added to this
>> guideline via the DLNA General Maintenance process. I will check if I can
>> disclose the exact proposed text of the change to this group before it is
>> added to the published guideline.
> The proposed (draft) DLNA guideline requirements related to CSP are
> essentially as follows:
> [Guideline] RUI-H User Agent of a CVP-2 Client MUST implement and conform
> to the Content Security Policy [CSP] reference as defined by W3C HTML5
> Specification.

Sounds good!

 [Guideline] If a RUI-H User Agent of a CVP-2 Client allows installation of
> third-party extensions or add-ons that permits the injection of third-party
> content (of any form) into a Web page, then the RUI-H User Agent MUST
> apply [CSP] policy directives to the third party content when those policy
> directives are sourced from a RUI-H Transport Server using HTTPS.

It will surprise no one to hear that I think this is a bad idea, for all
the reasons that we've discussed on the list. What constitutes a "RUI-H
User Agent of a CVP-2 Client"?

Also: it's not entirely clear which policy directives the user agent is
obligated to apply. Those of the protected resource, I imagine?
"Third-party content" is also a bit poorly defined: do you mean
"third-party" in the sense of cross-origin? Or any content at all (inline
script, for instance)?

>  [Guideline] When applying CSP to a third-party extension or add-on, the
> RUI-H User Agent MUST NOT report policy violations unless the violated
> policy directive was specified in a Content-Security-Policy-Report-Only
> header.

What problem is this solving? I don't understand the advantage of reporting
blocked extension activity only in report-only mode.


Mike West <>
Google+:, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Wednesday, 25 June 2014 09:10:50 UTC