The HTTPContent-Security-Policy (CSP)sandbox directive enables a sandbox for the requested resource similar to the<iframe>sandbox attribute.It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.

Syntax

Content-Security-Policy: sandbox;Content-Security-Policy: sandbox <value>;

where<value> can optionally be one of the following values:

allow-downloads

Allows downloading files through an<a> or<area> element with thedownload attribute, as well as through the navigation that leads to a download of a file.This works regardless of whether the user clicked on the link, or JS code initiated it without user interaction.

allow-forms

Allows the page to submit forms. If this keyword is not used, form will be displayed as normal, but submitting it will not trigger input validation, sending data to a web server or closing a dialog.

allow-modals

Allows the page to open modal windows byWindow.alert(),Window.confirm(),Window.print() andWindow.prompt(), while opening a<dialog> is allowed regardless of this keyword. It also allows the page to receiveBeforeUnloadEvent event.

allow-orientation-lock

Lets the resourcelock the screen orientation.

allow-pointer-lock

Allows the page to use thePointer Lock API.

allow-popups

Allows popups (created, for example, byWindow.open() ortarget="_blank").If this keyword is not used, popup display will silently fail.

allow-popups-to-escape-sandbox

Allows a sandboxed document to open new windows without forcing the sandboxing flags upon them. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon the page the ad links to.

allow-presentation

Allows embedders to have control over whether an iframe can start apresentation session.

allow-same-origin

Allows a sandboxed resource to retain itsorigin.A sandboxed resource is otherwise treated as being from anopaque origin, which ensures that it will always failsame-origin policy checks, and hence cannot accesslocalstorage anddocument.cookie and some JavaScript APIs.TheOrigin of sandboxed resources without theallow-same-origin keyword isnull.

allow-scripts

Allows the page to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.

allow-storage-access-by-user-activationExperimental

Lets the resource request access to the parent's storage capabilities with theStorage Access API.

allow-top-navigation

Lets the resource navigate the top-level browsing context (the one named_top).

allow-top-navigation-by-user-activation

Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.

allow-top-navigation-to-custom-protocols

Allows navigations to non-http protocols built into browser orregistered by a website. This feature is also activated byallow-popups orallow-top-navigation keyword.

Examples

Content-Security-Policy: sandbox allow-scripts;

Specifications

Browser compatibility

See also

• Content-Security-Policy
• sandbox attribute on<iframe>elements