CSP: sandbox
CSP: sandbox
The HTTP Content-Security-Policy (CSP) sandbox directive enables a sandbox for the requested resource similar to the <iframe> sandbox attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.
| CSP version | 1.1 / 2 |
|---|---|
| Directive type | Document directive |
This directive is not supported in the <meta> element or by the Content-Security-policy-Report-Only header field. | |
Syntax
Content-Security-Policy: sandbox; Content-Security-Policy: sandbox <value>;
where <value> can optionally be one of the following values:
allow-downloads-
Allows for downloads after the user clicks a button or link.
-
allow-downloads-without-user-activation -
Allows for downloads to occur without a gesture from the user.
allow-forms-
Allows the page to submit forms. If this keyword is not used, this operation is not allowed.
allow-modals-
Allows the page to open modal windows.
allow-orientation-lock-
Allows the page to disable the ability to lock the screen orientation.
allow-pointer-lock-
Allows the page to use the Pointer Lock API.
allow-popups-
Allows popups (like from
window.open,target="_blank",showModalDialog). If this keyword is not used, that functionality will silently fail. allow-popups-to-escape-sandbox-
Allows a sandboxed document to open new windows without forcing the sandboxing flags upon them. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon a landing page.
allow-presentation-
Allows embedders to have control over whether an iframe can start a presentation session.
allow-same-origin-
Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin.
allow-scripts-
Allows the page to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.
-
allow-storage-access-by-user-activation -
Lets the resource request access to the parent's storage capabilities with the Storage Access API.
allow-top-navigation-
Allows the page to navigate (load) content to the top-level browsing context. If this keyword is not used, this operation is not allowed.
allow-top-navigation-by-user-activation-
Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.
Examples
Content-Security-Policy: sandbox allow-scripts;
Specifications
Browser compatibility
| Desktop | Mobile | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Chrome | Edge | Firefox | Internet Explorer | Opera | Safari | WebView Android | Chrome Android | Firefox for Android | Opera Android | Safari on IOS | Samsung Internet | |
sandbox |
25 |
14 |
50 |
10 |
15 |
7 |
Yes |
Yes |
50 |
? |
7 |
Yes |
See also
Content-Security-Policy-
sandboxattribute on<iframe>elements
© 2005–2021 MDN contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox