CSP: sandbox

The HTTP Content-Security-Policy (CSP) sandbox directive enables a sandbox for the requested resource similar to the <iframe> sandbox attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.

CSP version 1.1 / 2
Directive type Document directive
This directive is not supported in the <meta> element or by the Content-Security-policy-Report-Only header field.


Content-Security-Policy: sandbox;
Content-Security-Policy: sandbox <value>;

where <value> can optionally be one of the following values:


Allows downloading files through an <a> or <area> element with the download attribute, as well as through the navigation that leads to a download of a file. This works regardless of whether the user clicked on the link, or JS code initiated it without user interaction.

allow-downloads-without-user-activation Experimental

Allows for downloads to occur without a gesture from the user.


Allows the page to submit forms. If this keyword is not used, form will be displayed as normal, but submitting it will not trigger input validation, sending data to a web server or closing a dialog.


Allows the page to open modal windows by Window.alert(), Window.confirm(), Window.print() and Window.prompt(), while opening a <dialog> is allowed regardless of this keyword. It also allows the page to receive BeforeUnloadEvent event.


Lets the resource lock the screen orientation.


Allows the page to use the Pointer Lock API.


Allows popups (like from Window.open(), target="_blank", Window.showModalDialog()). If this keyword is not used, that functionality will silently fail.


Allows a sandboxed document to open new windows without forcing the sandboxing flags upon them. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon the page the ad links to.


Allows embedders to have control over whether an iframe can start a presentation session.


If this token is not used, the resource is treated as being from a special origin that always fails the same-origin policy (potentially preventing access to data storage/cookies and some JavaScript APIs).


Allows the page to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.

allow-storage-access-by-user-activation Experimental

Lets the resource request access to the parent's storage capabilities with the Storage Access API.


Lets the resource navigate the top-level browsing context (the one named _top).


Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.


Allows navigations to non-http protocols built into browser or registered by a website. This feature is also activated by allow-popups or allow-top-navigation keyword.


Content-Security-Policy: sandbox allow-scripts;


Content Security Policy Level 3
# directive-sandbox

Browser compatibility

BCD tables only load in the browser

See also