Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify that CSP adds restrictions to SOP #35621

Merged
merged 2 commits into from
Aug 29, 2024
Merged

Clarify that CSP adds restrictions to SOP #35621

merged 2 commits into from
Aug 29, 2024
+1 −2

Conversation

timmc
Copy link
Contributor

@timmc timmc commented Aug 28, 2024

Description

Clarify that CSP builds on top of SOP rather than replacing it.

Motivation

A coworker found the existing line alarming, interpreting it to mean that adding a badly written CSP could actually undo some of the protections of the SOP. (This is not unprecedented, as the frame-ancestors directive overrides an existing X-Frame-Options header.) I've tried rewriting those lines to clarify the situation.

@timmc
Clarify that CSP adds restrictions to SOP
a3a3773 
A coworker found the existing line alarming, interpreting it to mean that adding a badly written CSP could actually undo some of the protections of the SOP. (This is not unprecedented, as the frame-ancestors directive overrides an existing X-Frame-Options header.) I've tried rewriting those lines to clarify the situation.
@timmc timmc requested a review from a team as a code owner August 28, 2024 14:52
@timmc timmc requested review from hamishwillee and removed request for a team August 28, 2024 14:52
@github-actions github-actions bot added Content:HTTP HTTP docs size/xs [PR only] 0-5 LoC changed labels Aug 28, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 29, 2024
edited
Loading

Preview URLs

(comment last updated: 2024-08-29 20:10:39)

wbamberg
wbamberg reviewed Aug 29, 2024
View reviewed changes
files/en-us/web/http/csp/index.md Outdated
Comment on lines 15 to 16
Browsers that don't support it still work with servers that implement it, and vice versa. Browsers that don't support CSP ignore it, functioning as usual; they will only apply the protections of the standard [same-origin policy](/en-US/docs/Web/Security/Same-origin_policy) without the further restrictions that the CSP would add.
The same is true for when a site doesn't offer a CSP header.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this change is an improvement, definitely, but I don't think the last sentence is very clear: in particular, the scope of "the same is true" isn't very obvious. The same as what?

Personally I think it would be OK just to delete that sentence: the main point here is that if a site sets CSP, and the browser doesn't support it, then normal SOP applies.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, deleting that last sentence.

wbamberg
wbamberg approved these changes Aug 29, 2024
View reviewed changes
Copy link
Collaborator

@wbamberg wbamberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 thank you for your contribution, @timmc !

@wbamberg wbamberg merged commit 4d7b577 into mdn:main Aug 29, 2024
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wbamberg wbamberg wbamberg approved these changes

@hamishwillee hamishwillee Awaiting requested review from hamishwillee hamishwillee is a code owner automatically assigned from mdn/yari-content-http

Assignees
No one assigned
Labels
Content:HTTP HTTP docs size/xs [PR only] 0-5 LoC changed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@timmc @wbamberg