W3cubDocs

/HTTP

CSP: sandbox

The HTTP Content-Security-Policy (CSP) sandbox directive enables a sandbox for the requested resource similar to the <iframe> sandbox attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.

CSP version 1.1 / 2
Directive type Document directive
This directive is not supported in the <meta> element or by the Content-Security-policy-Report-Only header field.

Syntax

Content-Security-Policy: sandbox;
Content-Security-Policy: sandbox <value>;

where <value> can optionally be one of the following values:

allow-forms
Allows the embedded browsing context to submit forms. If this keyword is not used, this operation is not allowed.
allow-modals
Allows the embedded browsing context to open modal windows.
allow-orientation-lock
Allows the embedded browsing context to disable the ability to lock the screen orientation.
allow-pointer-lock
Allows the embedded browsing context to use the Pointer Lock API.
allow-popups
Allows popups (like from window.open, target="_blank", showModalDialog). If this keyword is not used, that functionality will silently fail.
allow-popups-to-escape-sandbox
Allows a sandboxed document to open new windows without forcing the sandboxing flags upon them. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon a landing page.
allow-presentation
Allows embedders to have control over whether an iframe can start a presentation session.
allow-same-origin
Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin.
allow-scripts
Allows the embedded browsing context to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.
allow-top-navigation
Allows the embedded browsing context to navigate (load) content to the top-level browsing context. If this keyword is not used, this operation is not allowed.

Examples

Content-Security-Policy: sandbox allow-scripts;

Specifications

Specification Status Comment
Content Security Policy Level 3
The definition of 'sandbox' in that specification.		 Working Draft No changes.
Content Security Policy Level 2
The definition of 'sandbox' in that specification.		 Recommendation Initial definition.

Browser compatibilityUpdate compatibility data on GitHub

Desktop
Chrome Edge Firefox Internet Explorer Opera Safari
Basic support 25 14 50 10 15 7
Mobile
Android webview Chrome for Android Edge Mobile Firefox for Android Opera for Android iOS Safari Samsung Internet
Basic support Yes Yes ? 50 ? 7.1 Yes

See also

Edit this page on MDN

© 2005–2018 Mozilla Developer Network and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox