- No translations exist for this article.
- Add a translation
Edit
Advanced
- History
- Print this article

CSP: sandbox

Jump to:

Syntax
Examples
Specifications
Browser compatibility
See also

The HTTP Content-Security-Policy (CSP) sandbox directive enables a sandbox for the requested resource similar to the <iframe> sandbox attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.

This directive is not supported in the `<meta>` element or by the `Content-Security-policy-Report-Only` header field.
CSP version	1.1 / 2
Directive type	Document directive

Syntax

Content-Security-Policy: sandbox;
Content-Security-Policy: sandbox <value>;

where <value> can optionally be one of the following values:

allow-forms: Allows the embedded browsing context to submit forms. If this keyword is not used, this operation is not allowed.
allow-modals: Allows the embedded browsing context to open modal windows.
allow-orientation-lock: Allows the embedded browsing context to disable the ability to lock the screen orientation.
allow-pointer-lock: Allows the embedded browsing context to use the Pointer Lock API.
allow-popups: Allows popups (like from window.open, target="_blank", showModalDialog). If this keyword is not used, that functionality will silently fail.
allow-popups-to-escape-sandbox: Allows a sandboxed document to open new windows without forcing the sandboxing flags upon them. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon a landing page.
allow-presentation: Allows embedders to have control over whether an iframe can start a presentation session.
allow-same-origin: Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin.
allow-scripts: Allows the embedded browsing context to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.
allow-top-navigation: Allows the embedded browsing context to navigate (load) content to the top-level browsing context. If this keyword is not used, this operation is not allowed.

Examples

Content-Security-Policy: sandbox allow-scripts;

Specifications

Specification	Status	Comment
Content Security Policy Level 3 The definition of 'sandbox' in that specification.	Working Draft	No changes.
Content Security Policy Level 2 The definition of 'sandbox' in that specification.	Recommendation	Initial definition.

Feature	Chrome	Edge	Firefox	Internet Explorer	Opera	Safari
Basic support	25	14	50	10	15	7

Feature	Android webview	Chrome for Android	Edge mobile	Firefox for Android	Opera Android	iOS Safari	Samsung Internet
Basic support	Yes	Yes	?	50	?	7.1	Yes

	Desktop						Mobile
	Chrome	Edge	Firefox	Internet Explorer	Opera	Safari	Android webview	Chrome for Android	Edge Mobile	Firefox for Android	Opera for Android	iOS Safari	Samsung Internet
Basic support	Chrome Full support 25	Edge Full support 14	Firefox Full support 50	IE Full support 10	Opera Full support 15	Safari Full support 7	WebView Android Full support Yes	Chrome Android Full support Yes	Edge Mobile ?	Firefox Android Full support 50	Opera Android ?	Safari iOS Full support 7.1	Samsung Internet Android Full support Yes

Legend

Full support: Full support
Compatibility unknown: Compatibility unknown

Document Tags and Contributors

Tags:

Contributors to this page: fscholz, teoli

Last updated by: fscholz, Jun 7, 2017, 10:54:30 AM