Skip to content

CSP sandbox allow-same-origin - clarify #40489

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

CSP sandbox allow-same-origin - clarify #40489

wants to merge 1 commit into from
+5 −1

Conversation

hamishwillee
Copy link
Collaborator

@hamishwillee hamishwillee commented Jul 22, 2025
edited
Loading

If found the description of the CSP sandbox value allow-same-origin to be a little confusing. This rewords to match the pattern of the other values, and adds the note that the Origin header will be null if this is not set.

This fell out of reviewing #40093

Fixes #40094

@hamishwillee hamishwillee requested a review from a team as a code owner July 22, 2025 00:15
@hamishwillee hamishwillee requested review from bsmth and removed request for a team July 22, 2025 00:15
@github-actions github-actions bot added Content:HTTP HTTP docs size/s [PR only] 6-50 LoC changed labels Jul 22, 2025
@github-actions GitHub Actions
Copy link
Contributor

Preview URLs

Flaws (3)

URL: /en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/sandbox
Title: Content-Security-Policy: sandbox directive
Flaw count: 3

  • unknown:
    • No generic content config found
    • no blog root
    • no blog root

@Josh-Cena
Copy link
Member

  1. Perhaps you could use this chance to fix The Content-Security-Policy: sandbox allow-same-origin section has some ambiguity #40094?
  2. Mention that Content-Security-Policy: sandbox can lead to Origin: null #40093 has a grammatical error; it should be "that doesn't".

@hamishwillee
Copy link
Collaborator Author

I already fixed the second in another issue. The first outlines a number of problems, the only one that is valid (Origin) is already fixed. I've added "Fixes" above for that. Nothing else to do.

@hamishwillee hamishwillee mentioned this pull request Jul 22, 2025
Open
bsmth
bsmth reviewed Jul 22, 2025
View reviewed changes
files/en-us/web/http/reference/headers/content-security-policy/sandbox/index.md
Comment on lines +59 to +61
- : Allows a same-origin sandboxed resource to be treated as same-origin, reducing the restrictions normally applied to a sandbox.

If this token is not used, the resource is treated as being from a special origin that always fails the {{Glossary("same-origin policy")}} (potentially preventing access to [data storage/cookies](/en-US/docs/Web/Security/Same-origin_policy#cross-origin_data_storage_access) and some JavaScript APIs).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tough one to summarize, is this any better?

Suggested change
- : Allows a same-origin sandboxed resource to be treated as same-origin, reducing the restrictions normally applied to a sandbox.
If this token is not used, the resource is treated as being from a special origin that always fails the {{Glossary("same-origin policy")}} (potentially preventing access to [data storage/cookies](/en-US/docs/Web/Security/Same-origin_policy#cross-origin_data_storage_access) and some JavaScript APIs).
- : Allows a sandboxed resource to maintain its {{Glossary("origin")}}.
A sandboxed resource is otherwise treated as being from an origin that always fails {{Glossary("same-origin policy")}} checks, which prevents access to [`localstorage` and `document.cookie`](/en-US/docs/Web/Security/Same-origin_policy#cross-origin_data_storage_access) and some JavaScript APIs.

causes the content to be treated as being from its real origin instead of forcing it into an opaque origin;

bsmth
bsmth reviewed Jul 22, 2025
View reviewed changes
files/en-us/web/http/reference/headers/content-security-policy/sandbox/index.md
- : Allows a same-origin sandboxed resource to be treated as same-origin, reducing the restrictions normally applied to a sandbox.

If this token is not used, the resource is treated as being from a special origin that always fails the {{Glossary("same-origin policy")}} (potentially preventing access to [data storage/cookies](/en-US/docs/Web/Security/Same-origin_policy#cross-origin_data_storage_access) and some JavaScript APIs).
The {{httpheader("Origin")}} of such a request would be `null`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The {{httpheader("Origin")}} of such a request would be `null`.
The {{httpheader("Origin")}} of sandboxed resources without the `allow-same-origin` keyword is `null`.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bsmth bsmth bsmth left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Content:HTTP HTTP docs size/s [PR only] 6-50 LoC changed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The Content-Security-Policy: sandbox allow-same-origin section has some ambiguity
3 participants
@hamishwillee @Josh-Cena @bsmth