2

In HTTP protocol, there is so called Content Security Policy (CSP) that (among other things) allows the creator of a site to disallow browsers to put the site framed inside another site. All mainstream browsers abide this "command" of the creator of a site.

Is bypassing CSP (it can be done through a specifically crafted proxy server that removes or changes CSP) illegal (in the US and in Europe)? Note that changing HTTP headers by proxies is a common practice.

I have an argument that it is legal: If I put another site inside my frame (plus buttons like Forward/Backward), then I just create a new WWW browser (running inside another browser) and creating browsers is not disallowed. Is this a valid argument?

porton
  • 257
  • 2
  • 8
  • 3
    Does this answer your question? Can you be accused of hotlinking/copyright violation if you use an iframe? – BlueDogRanch Apr 07 '22 at 03:06
  • 2
    Technical note - the request now comes from your proxy server, which avoids most of the security issues that CSP was created to solve. For example, the browser won't send the user's bank account details to the proxied online banking site, because it sees the proxy and not the site. – user253751 Apr 07 '22 at 09:44
  • Could you provide any indication why you think that ignoring a CSP header would be illegal? Are you concerned that this header could qualify as “effective technical measures” for DRM purposes, circumvention of which would be illegal? Or are you interpreting the headers as a copyrightable work, modification of which would be an unauthorized derivative work? – amon Apr 07 '22 at 11:59
  • The linked question suggested as a duplicate involves similar legal issues, but different technical ones and to some extent different legal ones. In my view, this should not be closed as a duplicate. Also, if evading CSP was unlawful, it would not be a matter of copyright law, which further makes this not a duplicate. – David Siegel Apr 07 '22 at 14:49
  • @amon I suspected that it's “effective technical measures” for DRM purposes. – porton Apr 07 '22 at 17:59

1 Answers1

3

No. CSP is a suggestion to browsers to implement some security checks. Bypassing CSP is no more illegal than using a browser that doesn't support it.

520
  • 324
  • 1
  • 4