Re: Reducing reporting noise from Mike West on 2014-06-25 (public-webappsec@w3.org from June 2014)

From: Mike West <mkwst@google.com>
Date: Wed, 25 Jun 2014 11:10:02 +0200
To: Glenn Adams <glenn@skynav.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=dpn0rEV=Cw7BhQBkEEa40qU3ZO619LagQ8gkfUbsTCxw@mail.gmail.com>

Thanks Glenn!

On Wed, Jun 25, 2014 at 12:14 AM, Glenn Adams <glenn@skynav.com> wrote:

> On Fri, Jun 20, 2014 at 7:58 AM, Glenn Adams <glenn@skynav.com> wrote:
>
>> On Fri, Jun 20, 2014 at 2:24 AM, Mike West <mkwst@google.com> wrote:
>>
>>> Any plans to share this specification? I assume it's the same non-public
>>> spec that you've mentioned before? :)
>>>
>>
>> DLNA has very recently made their specifications ("guidelines") available
>> to non-members at [1]. The specific guideline I refer to is the CVP-2
>> device profile found in Part 5: Device Profiles. However, the requirement I
>> refer to below regarding CSP is in the process of being added to this
>> guideline via the DLNA General Maintenance process. I will check if I can
>> disclose the exact proposed text of the change to this group before it is
>> added to the published guideline.
>>
>
> The proposed (draft) DLNA guideline requirements related to CSP are
> essentially as follows:
>
> [Guideline] RUI-H User Agent of a CVP-2 Client MUST implement and conform
> to the Content Security Policy [CSP] reference as defined by W3C HTML5
> Specification.
>

Sounds good!

 [Guideline] If a RUI-H User Agent of a CVP-2 Client allows installation of
> third-party extensions or add-ons that permits the injection of third-party
> content (of any form) into a Web page, then the RUI-H User Agent MUST
> apply [CSP] policy directives to the third party content when those policy
> directives are sourced from a RUI-H Transport Server using HTTPS.
>

It will surprise no one to hear that I think this is a bad idea, for all
the reasons that we've discussed on the list. What constitutes a "RUI-H
User Agent of a CVP-2 Client"?

Also: it's not entirely clear which policy directives the user agent is
obligated to apply. Those of the protected resource, I imagine?
"Third-party content" is also a bit poorly defined: do you mean
"third-party" in the sense of cross-origin? Or any content at all (inline
script, for instance)?

>  [Guideline] When applying CSP to a third-party extension or add-on, the
> RUI-H User Agent MUST NOT report policy violations unless the violated
> policy directive was specified in a Content-Security-Policy-Report-Only
> header.
>

What problem is this solving? I don't understand the advantage of reporting
blocked extension activity only in report-only mode.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Wednesday, 25 June 2014 09:10:50 UTC