sandbox directive enables a sandbox for the requested
resource similar to the
attribute. It applies restrictions to a page's actions including preventing popups,
preventing the execution of plugins and scripts, and enforcing a same-origin policy.
|CSP version||1.1 / 2|
|Directive type||Document directive|
|This directive is not supported in the
Content-Security-Policy: sandbox; Content-Security-Policy: sandbox <value>;
<value> can optionally be one of the following values:
- Allows for downloads after the user clicks a button or link.
- Allows for downloads to occur without a gesture from the user.
- Allows the page to submit forms. If this keyword is not used, this operation is not allowed.
- Allows the page to open modal windows.
- Allows the page to disable the ability to lock the screen orientation.
- Allows the page to use the Pointer Lock API.
- Allows popups (like from
showModalDialog). If this keyword is not used, that functionality will silently fail.
- Allows a sandboxed document to open new windows without forcing the sandboxing flags upon them. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon a landing page.
- Allows embedders to have control over whether an iframe can start a presentation session.
- Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin.
- Allows the page to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.
- Lets the resource request access to the parent's storage capabilities with the Storage Access API.
- Allows the page to navigate (load) content to the top-level browsing context. If this keyword is not used, this operation is not allowed.
- Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.
Content-Security-Policy: sandbox allow-scripts;
|Content Security Policy Level 3 (Content Security Policy 3)|
BCD tables only load in the browser