You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What information was incorrect, unhelpful, or incomplete?
Example 5 is Content-Security-Policy: default-src 'self' *.mailsite.com; img-src *. This CSP does not do what the explanatory text says it does.
The explanatory text suggests this CSP expands allowances for HTML and images but not "JavaScript or other potentially dangerous content". That is wrong. This CSP allows anything that falls back to default-src (list) to be loaded from (self) or *.mailsite.org while also allowing images to be loaded from anywhere.
As an example, since this CSP does not have a script-src directive, the value for default-src is used for that. default-src permits JavaScripts from (self) or *.mailsite.org, directly contradicting this text:
"A web site administrator of a web mail site wants to allow HTML in email, as well as images loaded from anywhere, but not JavaScript or other potentially dangerous content."
"Note that this example doesn't specify a script-src; with the example CSP, this site uses the setting specified by the default-src directive, which means that scripts can be loaded only from the originating server."
Specific section or headline?
Example 5
What did you expect to see?
It's hard to make a specific recommendation because I am not clear on the true, original intent of this example. Either or both of the explanatory text or the example CSP are wrong, but that intent is important to discern how to correct.
If that intent cannot be discerned or specified, it may be best to delete this example.
Rumyra
added
the
needs triage
Triage needed by staff and/or partners. Automatically applied when an issue is opened.
label
Nov 25, 2021
sideshowbarker
added
help wanted
If you know something about this topic, we would love your help!
and removed
needs triage
Triage needed by staff and/or partners. Automatically applied when an issue is opened.
labels
Jul 7, 2022
Thanks for opening this one. The problem is in the prose, where I think the intention is to say that JS is not allowed to load from anywhere, in contrast with img-src *.
MDN URL: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
What information was incorrect, unhelpful, or incomplete?
Example 5 is
Content-Security-Policy: default-src 'self' *.mailsite.com; img-src *
. This CSP does not do what the explanatory text says it does.The explanatory text suggests this CSP expands allowances for HTML and images but not "JavaScript or other potentially dangerous content". That is wrong. This CSP allows anything that falls back to
default-src
(list) to be loaded from(self)
or*.mailsite.org
while also allowing images to be loaded from anywhere.As an example, since this CSP does not have a
script-src
directive, the value fordefault-src
is used for that.default-src
permits JavaScripts from(self)
or*.mailsite.org
, directly contradicting this text:Specific section or headline?
Example 5
What did you expect to see?
It's hard to make a specific recommendation because I am not clear on the true, original intent of this example. Either or both of the explanatory text or the example CSP are wrong, but that intent is important to discern how to correct.
If that intent cannot be discerned or specified, it may be best to delete this example.
MDN Content page report details
en-us/web/http/csp
The text was updated successfully, but these errors were encountered: