content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon mdn

Default Behaviour of no CSP header

Open tsweli opened this issue 1 year ago • 2 comments

MDN URL

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

What specific section or headline is this issue about?

2nd paragraph

What information was incorrect, unhelpful, or incomplete?

In the second paragraph of this, the last sentence states: If the site doesn't offer the CSP header, browsers likewise use the standard same-origin policy.

What did you expect to see?

Not too sure what is meant here. If it is what I think it is, then it wouldn't make sense because the restriction imposed by the same origin policy is usually relevant for cross origin requests? The way I interpreted this when I read it, was that essentially no CSP means the following CSP for fetch directives

Content-Security-Policy: default-src 'self';

Which isn't true, because telling the current page not to load a resource when a request is made from some origin (SOP) is different from telling the current page not to load a resource from some origin (CSP fetch restrictions).

Also, where these are defined is different.

Do you have any supporting links, references, or citations?

No response

Do you have anything more you want to share?

No response

MDN metadata

Page report details
  • Folder: en-us/web/http/csp
  • MDN URL: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
  • GitHub URL: https://github.com/mdn/content/blob/main/files/en-us/web/http/csp/index.md
  • Last commit: https://github.com/mdn/content/commit/acfe8c9f1f4145f77653a2bc64a9744b001358dc
  • Document last modified: 2023-07-07T07:19:19.000Z

tsweli avatar Jan 05 '24 13:01 tsweli

Hi @tsweli, thanks for raising this.

Content-Security-Policy: default-src 'self'; would then be more restrictive than the SOP as there are some cross-origin requests that the SOP allows. You can see the values that default-src would apply to here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src. So images from another origin, for example, would not load as expected with Content-Security-Policy: default-src 'self'; applied.

bsmth avatar Feb 28 '24 16:02 bsmth

@bsmth It seems the current content is correct. What do you suggest should be done, if at all?

Josh-Cena avatar Jun 29 '24 22:06 Josh-Cena

FWIW I'd probably close it because the text is correct.

But if you felt inclined a short note at the end of https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#example_1 stating that "this differs from the standard same-origin case without CSP, as that allows some resources to be sent cross-origin, such as X, Y, Z."

hamishwillee avatar Jul 01 '24 04:07 hamishwillee

Right, I'm fine with closing this because there's nothing incorrect, although I think we could be clearer between CSP & SOP/CORS concepts in this section. I am going to be touching CORS docs from an editorial perspective in the coming weeks, so I hope this is clearer afterwards.

bsmth avatar Jul 01 '24 12:07 bsmth

Closing then.

hamishwillee avatar Jul 01 '24 23:07 hamishwillee