Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with "Content Security Policy (CSP)": bad explanatory text on example 5 #8137

Closed
arencambre opened this issue Aug 20, 2021 · 1 comment · Fixed by #34286
Closed

Issue with "Content Security Policy (CSP)": bad explanatory text on example 5 #8137

arencambre opened this issue Aug 20, 2021 · 1 comment · Fixed by #34286
Labels
Content:HTTP HTTP docs help wanted If you know something about this topic, we would love your help!

Comments

@arencambre
Copy link

MDN URL: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

What information was incorrect, unhelpful, or incomplete?

Example 5 is Content-Security-Policy: default-src 'self' *.mailsite.com; img-src *. This CSP does not do what the explanatory text says it does.

The explanatory text suggests this CSP expands allowances for HTML and images but not "JavaScript or other potentially dangerous content". That is wrong. This CSP allows anything that falls back to default-src (list) to be loaded from (self) or *.mailsite.org while also allowing images to be loaded from anywhere.

As an example, since this CSP does not have a script-src directive, the value for default-src is used for that. default-src permits JavaScripts from (self) or *.mailsite.org, directly contradicting this text:

  • "A web site administrator of a web mail site wants to allow HTML in email, as well as images loaded from anywhere, but not JavaScript or other potentially dangerous content."
  • "Note that this example doesn't specify a script-src; with the example CSP, this site uses the setting specified by the default-src directive, which means that scripts can be loaded only from the originating server."

Specific section or headline?

Example 5

What did you expect to see?

It's hard to make a specific recommendation because I am not clear on the true, original intent of this example. Either or both of the explanatory text or the example CSP are wrong, but that intent is important to discern how to correct.

If that intent cannot be discerned or specified, it may be best to delete this example.

MDN Content page report details
@sideshowbarker sideshowbarker added the Content:HTTP HTTP docs label Aug 21, 2021
@Rumyra Rumyra added the needs triage Triage needed by staff and/or partners. Automatically applied when an issue is opened. label Nov 25, 2021
@sideshowbarker sideshowbarker added help wanted If you know something about this topic, we would love your help! and removed needs triage Triage needed by staff and/or partners. Automatically applied when an issue is opened. labels Jul 7, 2022
@bsmth
Copy link
Member

bsmth commented Jun 14, 2024

Thanks for opening this one. The problem is in the prose, where I think the intention is to say that JS is not allowed to load from anywhere, in contrast with img-src *.

@Josh-Cena Josh-Cena mentioned this issue Jun 20, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Content:HTTP HTTP docs help wanted If you know something about this topic, we would love your help!
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix CSP example explanation Josh-Cena/mdn-content
4 participants
@sideshowbarker @Rumyra @arencambre @bsmth