The HTTP Content-Security-Policy
(CSP)
sandbox
directive enables a sandbox for the requested
resource similar to the <iframe>
sandbox
attribute. It applies restrictions to a page's actions including preventing popups,
preventing the execution of plugins and scripts, and enforcing a same-origin policy.
CSP version | 1.1 / 2 |
---|---|
Directive type | Document directive |
This directive is not supported in the
<meta> element or by the
Content-Security-policy-Report-Only header field. |
Syntax
Content-Security-Policy: sandbox;
Content-Security-Policy: sandbox <value>;
where <value>
can optionally be one of the following values:
allow-downloads-without-user-activation
- Allows for downloads to occur without a gesture from the user.
allow-forms
- Allows the page to submit forms. If this keyword is not used, this operation is not allowed.
allow-modals
- Allows the page to open modal windows.
allow-orientation-lock
- Allows the page to disable the ability to lock the screen orientation.
allow-pointer-lock
- Allows the page to use the Pointer Lock API.
allow-popups
- Allows popups (like from
window.open
,target="_blank"
,showModalDialog
). If this keyword is not used, that functionality will silently fail. allow-popups-to-escape-sandbox
- Allows a sandboxed document to open new windows without forcing the sandboxing flags upon them. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon a landing page.
allow-presentation
- Allows embedders to have control over whether an iframe can start a presentation session.
allow-same-origin
- Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin.
allow-scripts
- Allows the page to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.
allow-storage-access-by-user-activation
- Lets the resource request access to the parent's storage capabilities with the Storage Access API.
allow-top-navigation
- Allows the page to navigate (load) content to the top-level browsing context. If this keyword is not used, this operation is not allowed.
allow-top-navigation-by-user-activation
- Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.
Examples
Content-Security-Policy: sandbox allow-scripts;
Specifications
Specification | Status | Comment |
---|---|---|
Content Security Policy Level 3 The definition of 'sandbox' in that specification. |
Working Draft | No changes. |
Content Security Policy Level 2 The definition of 'sandbox' in that specification. |
Recommendation | Initial definition. |
Browser compatibility
BCD tables only load in the browser
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
See also
Content-Security-Policy
sandbox
attribute on<iframe>
elements