The HTTP Content-Security-Policy
(CSP) sandbox
directive enables a sandbox for the requested resource similar to the <iframe>
sandbox
attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.
CSP version | 1.1 / 2 |
---|---|
Directive type | Document directive |
This directive is not supported in the <meta> element or by the Content-Security-policy-Report-Only header field. |
Content-Security-Policy: sandbox; Content-Security-Policy: sandbox <value>;
where <value>
can optionally be one of the following values:
allow-forms
allow-modals
allow-orientation-lock
allow-pointer-lock
allow-popups
window.open
, target="_blank"
, showModalDialog
). If this keyword is not used, that functionality will silently fail.allow-popups-to-escape-sandbox
allow-presentation
allow-same-origin
allow-scripts
allow-top-navigation
Content-Security-Policy: sandbox allow-scripts;
Specification | Status | Comment |
---|---|---|
Content Security Policy Level 3 The definition of 'sandbox' in that specification. | Working Draft | No changes. |
Content Security Policy Level 2 The definition of 'sandbox' in that specification. | Recommendation | Initial definition. |
Desktop | ||||||
---|---|---|---|---|---|---|
Chrome | Edge | Firefox | Internet Explorer | Opera | Safari | |
Basic support | 25 | 14 | 50 | 10 | 15 | 7 |
Mobile | |||||||
---|---|---|---|---|---|---|---|
Android webview | Chrome for Android | Edge Mobile | Firefox for Android | Opera for Android | iOS Safari | Samsung Internet | |
Basic support | Yes | Yes | ? | 50 | ? | 7.1 | Yes |
Content-Security-Policy
sandbox
attribute on <iframe>
elements
© 2005–2018 Mozilla Developer Network and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox