MDN wants to talk to developers like you: https://qsurvey.mozilla.com/s3/8d22564490d8

CSP: sandbox

The HTTP Content-Security-Policy (CSP) sandbox directive enables a sandbox for the requested resource similar to the <iframe> sandbox attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.

CSP version 1.1 / 2
Directive type Document directive
This directive is not supported in the <meta> element or by the Content-Security-policy-Report-Only header field.

Syntax

Content-Security-Policy: sandbox;
Content-Security-Policy: sandbox <value>;

where <value> can optionally be one of the following values:

allow-forms
Allows the embedded browsing context to submit forms. If this keyword is not used, this operation is not allowed.
allow-modals
Allows the embedded browsing context to open modal windows.
allow-orientation-lock
Allows the embedded browsing context to disable the ability to lock the screen orientation.
allow-pointer-lock
Allows the embedded browsing context to use the Pointer Lock API.
allow-popups
Allows popups (like from window.open, target="_blank", showModalDialog). If this keyword is not used, that functionality will silently fail.
allow-popups-to-escape-sandbox
Allows a sandboxed document to open new windows without forcing the sandboxing flags upon them. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon a landing page.
allow-presentation
Allows embedders to have control over whether an iframe can start a presentation session.
allow-same-origin
Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin.
allow-scripts
Allows the embedded browsing context to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.
allow-top-navigation
Allows the embedded browsing context to navigate (load) content to the top-level browsing context. If this keyword is not used, this operation is not allowed.

Examples

Content-Security-Policy: sandbox allow-scripts;

Specifications

Specification Status Comment
Content Security Policy Level 3
The definition of 'sandbox' in that specification.
Editor's Draft No changes.
Content Security Policy Level 2
The definition of 'sandbox' in that specification.
Candidate Recommendation Initial definition.

Browser compatibility

Feature Chrome Edge Firefox Internet Explorer Opera Safari Servo
Basic Support251450.010157?
Feature Android Chrome for Android Edge Mobile Firefox for Android IE Mobile Opera Mobile Safari Mobile
Basic Support4.4(Yes)?50.010?7.1

See also

Document Tags and Contributors

 Contributors to this page: teoli, fscholz
 Last updated by: teoli,