The HTTP Content-Security-Policy
(CSP) sandbox
directive enables a sandbox for the requested resource similar to the <iframe>
sandbox
attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.
CSP version | 1.1 / 2 |
---|---|
Directive type | Document directive |
This directive is not supported in the <meta> element or by the Content-Security-policy-Report-Only header field. |
Syntax
Content-Security-Policy: sandbox; Content-Security-Policy: sandbox <value>;
where <value>
can optionally be one of the following values:
allow-forms
- Allows the embedded browsing context to submit forms. If this keyword is not used, this operation is not allowed.
allow-modals
- Allows the embedded browsing context to open modal windows.
allow-orientation-lock
- Allows the embedded browsing context to disable the ability to lock the screen orientation.
allow-pointer-lock
- Allows the embedded browsing context to use the Pointer Lock API.
allow-popups
- Allows popups (like from
window.open
,target="_blank"
,showModalDialog
). If this keyword is not used, that functionality will silently fail. allow-popups-to-escape-sandbox
- Allows a sandboxed document to open new windows without forcing the sandboxing flags upon them. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon a landing page.
allow-presentation
- Allows embedders to have control over whether an iframe can start a presentation session.
allow-same-origin
- Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin.
allow-scripts
- Allows the embedded browsing context to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.
allow-top-navigation
- Allows the embedded browsing context to navigate (load) content to the top-level browsing context. If this keyword is not used, this operation is not allowed.
Examples
Content-Security-Policy: sandbox allow-scripts;
Specifications
Specification | Status | Comment |
---|---|---|
Content Security Policy Level 3 The definition of 'sandbox' in that specification. |
Editor's Draft | No changes. |
Content Security Policy Level 2 The definition of 'sandbox' in that specification. |
Recommendation | Initial definition. |
Browser compatibility
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
Feature | Chrome | Firefox | Edge | Internet Explorer | Opera | Safari |
---|---|---|---|---|---|---|
Basic Support | 25 | 50.0 | 14 | 10 | 15 | 7 |
Feature | Android | Chrome for Android | Edge mobile | Firefox for Android | IE mobile | Opera Android | iOS Safari |
---|---|---|---|---|---|---|---|
Basic Support | 4.4 | (Yes) | ? | 50.0 | 10 | ? | 7.1 |
See also
Content-Security-Policy
sandbox
attribute on<iframe>
elements