CSP: sandbox

The HTTP Content-Security-Policy (CSP) sandbox directive enables a sandbox for the requested resource similar to the <iframe> sandbox attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.

CSP version 1.1 / 2
Directive type Document directive
This directive is not supported in the <meta> element or by the Content-Security-policy-Report-Only header field.

Syntax

Content-Security-Policy: sandbox;
Content-Security-Policy: sandbox <value>;

where <value> can optionally be one of the following values:

allow-downloads

Allows for downloads after the user clicks a button or link.

allow-downloads-without-user-activation

Allows for downloads to occur without a gesture from the user.

allow-forms

Allows the page to submit forms. If this keyword is not used, this operation is not allowed.

allow-modals

Allows the page to open modal windows.

allow-orientation-lock

Allows the page to disable the ability to lock the screen orientation.

allow-pointer-lock

Allows the page to use the Pointer Lock API.

allow-popups

Allows popups (like from window.open, target="_blank", showModalDialog). If this keyword is not used, that functionality will silently fail.

allow-popups-to-escape-sandbox

Allows a sandboxed document to open new windows without forcing the sandboxing flags upon them. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon a landing page.

allow-presentation

Allows embedders to have control over whether an iframe can start a presentation session.

allow-same-origin

Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin.

allow-scripts

Allows the page to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.

allow-storage-access-by-user-activation

Lets the resource request access to the parent's storage capabilities with the Storage Access API.

allow-top-navigation

Allows the page to navigate (load) content to the top-level browsing context. If this keyword is not used, this operation is not allowed.

allow-top-navigation-by-user-activation

Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.

Examples

Content-Security-Policy: sandbox allow-scripts;

Specifications

Specification
Content Security Policy Level 3 (Content Security Policy 3)
# directive-sandbox

Browser compatibility

BCD tables only load in the browser

See also