2

In HTTP protocol, there is so called Content Security Policy (CSP) that (among other things) allows the creator of a site to disallow browsers to put the site framed inside another site. All mainstream browsers abide this "command" of the creator of a site.

Is bypassing CSP (it can be done through a specifically crafted proxy server that removes or changes CSP) illegal (in the US and in Europe)? Note that changing HTTP headers by proxies is a common practice.

I have an argument that it is legal: If I put another site inside my frame (plus buttons like Forward/Backward), then I just create a new WWW browser (running inside another browser) and creating browsers is not disallowed. Is this a valid argument?

Improve this question
5
  • 3
    Does this answer your question? Can you be accused of hotlinking/copyright violation if you use an iframe?
    – BlueDogRanch
    Commented Apr 7, 2022 at 3:06
  • 2
    Technical note - the request now comes from your proxy server, which avoids most of the security issues that CSP was created to solve. For example, the browser won't send the user's bank account details to the proxied online banking site, because it sees the proxy and not the site.
    – Stack Exchange Supports Israel
    Commented Apr 7, 2022 at 9:44
  • Could you provide any indication why you think that ignoring a CSP header would be illegal? Are you concerned that this header could qualify as “effective technical measures” for DRM purposes, circumvention of which would be illegal? Or are you interpreting the headers as a copyrightable work, modification of which would be an unauthorized derivative work?
    – amon
    Commented Apr 7, 2022 at 11:59
  • The linked question suggested as a duplicate involves similar legal issues, but different technical ones and to some extent different legal ones. In my view, this should not be closed as a duplicate. Also, if evading CSP was unlawful, it would not be a matter of copyright law, which further makes this not a duplicate.
    – David Siegel
    Commented Apr 7, 2022 at 14:49
  • @amon I suspected that it's “effective technical measures” for DRM purposes.
    – porton
    Commented Apr 7, 2022 at 17:59

1 Answer 1

Reset to default
3

No. CSP is a suggestion to browsers to implement some security checks. Bypassing CSP is no more illegal than using a browser that doesn't support it.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .