CSP: sandbox

The HTTP Content-Security-Policy (CSP) sandbox directive enables a sandbox for the requested resource similar to the <iframe> sandbox attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.

CSP version 1.1 / 2
Directive type Document directive
This directive is not supported in the <meta> element or by the Content-Security-policy-Report-Only header field.

Syntax

Content-Security-Policy: sandbox;
Content-Security-Policy: sandbox <value>;

where <value> can optionally be one of the following values:

allow-forms
Allows the embedded browsing context to submit forms. If this keyword is not used, this operation is not allowed.
allow-modals
Allows the embedded browsing context to open modal windows.
allow-orientation-lock
Allows the embedded browsing context to disable the ability to lock the screen orientation.
allow-pointer-lock
Allows the embedded browsing context to use the Pointer Lock API.
allow-popups
Allows popups (like from window.open, target="_blank", showModalDialog). If this keyword is not used, that functionality will silently fail.
allow-popups-to-escape-sandbox
Allows a sandboxed document to open new windows without forcing the sandboxing flags upon them. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon a landing page.
allow-presentation
Allows embedders to have control over whether an iframe can start a presentation session.
allow-same-origin
Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin.
allow-scripts
Allows the embedded browsing context to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.
allow-top-navigation
Allows the embedded browsing context to navigate (load) content to the top-level browsing context. If this keyword is not used, this operation is not allowed.

Examples

Content-Security-Policy: sandbox allow-scripts;

Specifications

Specification Status Comment
Content Security Policy Level 3
The definition of 'sandbox' in that specification.
Working Draft No changes.
Content Security Policy Level 2
The definition of 'sandbox' in that specification.
Recommendation Initial definition.

Browser compatibility

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidEdge MobileFirefox for AndroidOpera for AndroidiOS SafariSamsung Internet
Basic supportChrome Full support 25Edge Full support 14Firefox Full support 50IE Full support 10Opera Full support 15Safari Full support 7WebView Android Full support YesChrome Android Full support YesEdge Mobile ? Firefox Android Full support 50Opera Android ? Safari iOS Full support 7.1Samsung Internet Android Full support Yes

Legend

Full support  
Full support
Compatibility unknown  
Compatibility unknown

See also

Document Tags and Contributors

Contributors to this page: fscholz, teoli
Last updated by: fscholz,