From ee94d025c1d3f996c08cc250dfaffd96b8b17bb4 Mon Sep 17 00:00:00 2001
From: Joshua Chen <sidachen2003@gmail.com>
Date: Thu, 20 Jun 2024 10:36:44 -0400
Subject: [PATCH 1/2] Fix CSP example explanation

---
 files/en-us/web/http/csp/index.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/files/en-us/web/http/csp/index.md b/files/en-us/web/http/csp/index.md
index 100b7e07e5ef980..f9a86404c817c85 100644
--- a/files/en-us/web/http/csp/index.md
+++ b/files/en-us/web/http/csp/index.md
@@ -122,14 +122,14 @@ The server permits access only to documents being loaded specifically over HTTPS
 
 ### Example 5
 
-A website administrator of a web mail site wants to allow HTML in email, as well as images loaded from anywhere, but not JavaScript or other potentially dangerous content.
+A website administrator of a web mail site wants to allow HTML in email, as well as images loaded from anywhere, but JavaScript or other potentially dangerous content can only come from the same origin as the mail server.
 
 ```http
 Content-Security-Policy: default-src 'self' *.example.com; img-src *
 ```
 
 Note that this example doesn't specify a {{CSP("script-src")}}; with the example CSP,
-this site uses the setting specified by the {{CSP("default-src")}} directive, which means that scripts can be loaded only from the originating server.
+this site uses the setting specified by the {{CSP("default-src")}} directive.
 
 ## Testing your policy
 

From 852c10bc2e2ca480222a1e2b0ea86fc98e6d1b41 Mon Sep 17 00:00:00 2001
From: Joshua Chen <sidachen2003@gmail.com>
Date: Thu, 20 Jun 2024 13:13:39 -0400
Subject: [PATCH 2/2] Update index.md

---
 files/en-us/web/http/csp/index.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/files/en-us/web/http/csp/index.md b/files/en-us/web/http/csp/index.md
index f9a86404c817c85..8ecf8c55deb2e43 100644
--- a/files/en-us/web/http/csp/index.md
+++ b/files/en-us/web/http/csp/index.md
@@ -128,8 +128,7 @@ A website administrator of a web mail site wants to allow HTML in email, as well
 Content-Security-Policy: default-src 'self' *.example.com; img-src *
 ```
 
-Note that this example doesn't specify a {{CSP("script-src")}}; with the example CSP,
-this site uses the setting specified by the {{CSP("default-src")}} directive.
+Note that this example doesn't specify a {{CSP("script-src")}}, so the {{CSP("default-src")}} directive will be used for JavaScript sources as a fallback.
 
 ## Testing your policy