Content-Security-Policy: sandbox directive
Baseline
Widely available
This feature is well established and works across many devices and browser versions. It’s been available across browsers since November 2016.
The HTTP Content-Security-Policy (CSP) sandbox directive enables a sandbox for the requested resource similar to the <iframe> sandbox attribute.
It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.
| CSP version | 1.1 / 2 |
|---|---|
| Directive type | Document directive |
This directive is not supported in the <meta> element or by the Content-Security-policy-Report-Only header field.
|
|
Syntax
Content-Security-Policy: sandbox;
Content-Security-Policy: sandbox <value>;
where <value> can optionally be one of the following values:
allow-downloads-
Allows downloading files through an
<a>or<area>element with the download attribute, as well as through the navigation that leads to a download of a file. This works regardless of whether the user clicked on the link, or JS code initiated it without user interaction. allow-forms-
Allows the page to submit forms. If this keyword is not used, form will be displayed as normal, but submitting it will not trigger input validation, sending data to a web server or closing a dialog.
allow-modals-
Allows the page to open modal windows by
Window.alert(),Window.confirm(),Window.print()andWindow.prompt(), while opening a<dialog>is allowed regardless of this keyword. It also allows the page to receiveBeforeUnloadEventevent. allow-orientation-lock-
Lets the resource lock the screen orientation.
allow-pointer-lock-
Allows the page to use the Pointer Lock API.
allow-popups-
Allows popups (created, for example, by
Window.open()ortarget="_blank"). If this keyword is not used, popup display will silently fail. allow-popups-to-escape-sandbox-
Allows a sandboxed document to open new windows without forcing the sandboxing flags upon them. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon the page the ad links to.
allow-presentation-
Allows embedders to have control over whether an iframe can start a presentation session.
allow-same-origin-
Allows a sandboxed resource to retain its origin. A sandboxed resource is otherwise treated as being from an opaque origin, which ensures that it will always fail same-origin policy checks, and hence cannot access
localstorageanddocument.cookieand some JavaScript APIs. TheOriginof sandboxed resources without theallow-same-originkeyword isnull. allow-scripts-
Allows the page to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.
allow-storage-access-by-user-activationExperimental-
Lets the resource request access to the parent's storage capabilities with the Storage Access API.
-
Lets the resource navigate the top-level browsing context (the one named
_top). -
Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.
-
Allows navigations to non-
httpprotocols built into browser or registered by a website. This feature is also activated byallow-popupsorallow-top-navigationkeyword.
Note:
The allow-top-navigation and related values only make sense for embedded documents (such as child iframes). For standalone documents, these values have no effect, as the top-level browsing context is the document itself.
Examples
Content-Security-Policy: sandbox allow-scripts;
Specifications
| Specification |
|---|
| Content Security Policy Level 3 # directive-sandbox |
Browser compatibility
Loading…
See also
Content-Security-Policysandboxattribute on<iframe>elements