From 7f1426a52f54028a9978a1cb7abde672b5453e84 Mon Sep 17 00:00:00 2001
From: Joshua Chen <sidachen2003@gmail.com>
Date: Fri, 21 Jun 2024 03:39:24 -0400
Subject: [PATCH] Fix CSP example explanation (#34286)

* Fix CSP example explanation

* Update index.md
---
 files/en-us/web/http/csp/index.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/files/en-us/web/http/csp/index.md b/files/en-us/web/http/csp/index.md
index 100b7e07e5ef980..8ecf8c55deb2e43 100644
--- a/files/en-us/web/http/csp/index.md
+++ b/files/en-us/web/http/csp/index.md
@@ -122,14 +122,13 @@ The server permits access only to documents being loaded specifically over HTTPS
 
 ### Example 5
 
-A website administrator of a web mail site wants to allow HTML in email, as well as images loaded from anywhere, but not JavaScript or other potentially dangerous content.
+A website administrator of a web mail site wants to allow HTML in email, as well as images loaded from anywhere, but JavaScript or other potentially dangerous content can only come from the same origin as the mail server.
 
 ```http
 Content-Security-Policy: default-src 'self' *.example.com; img-src *
 ```
 
-Note that this example doesn't specify a {{CSP("script-src")}}; with the example CSP,
-this site uses the setting specified by the {{CSP("default-src")}} directive, which means that scripts can be loaded only from the originating server.
+Note that this example doesn't specify a {{CSP("script-src")}}, so the {{CSP("default-src")}} directive will be used for JavaScript sources as a fallback.
 
 ## Testing your policy