Path: blob/main/files/en-us/web/http/headers/content-security-policy/sandbox/index.md
6552 views
------{{HTTPSidebar}}
The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) sandbox directive enables a sandbox for the requested resource similar to the {{HTMLElement("iframe")}} {{htmlattrxref("sandbox", "iframe")}} attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.
| CSP version | 1.1 / 2 |
|---|---|
| Directive type | {{Glossary("Document directive")}} |
| This directive is not supported in the {{HTMLElement("meta")}} element or by the {{HTTPHeader("Content-Security-policy-Report-Only")}} header field. |
Syntax
where <value> can optionally be one of the following values:
allow-downloads: Allows downloading files through an {{HTMLElement("a")}} or {{HTMLElement("area")}} element with the download attribute, as well as through the navigation that leads to a download of a file. This works regardless of whether the user clicked on the link, or JS code initiated it without user interaction.
allow-downloads-without-user-activation{{experimental_inline}}: Allows for downloads to occur without a gesture from the user.
allow-forms: Allows the page to submit forms. If this keyword is not used, form will be displayed as normal, but submitting it will not trigger input validation, sending data to a web server or closing a dialog.
allow-modals: Allows the page to open modal windows by {{domxref("Window.alert()")}}, {{domxref("Window.confirm()")}}, {{domxref("Window.print()")}} and {{domxref("Window.prompt()")}}, while opening a {{HTMLElement("dialog")}} is allowed regardless of this keyword. It also allows the page to receive {{domxref("BeforeUnloadEvent")}} event.
allow-orientation-lock: Lets the resource lock the screen orientation.
allow-pointer-lock: Allows the page to use the Pointer Lock API.
allow-popups: Allows popups (like from {{domxref("Window.open()")}},
target="_blank", {{domxref("Window.showModalDialog()")}}). If this keyword is not used, that functionality will silently fail.
allow-popups-to-escape-sandbox: Allows a sandboxed document to open new windows without forcing the sandboxing flags upon them. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon the page the ad links to.
allow-presentation: Allows embedders to have control over whether an iframe can start a presentation session.
allow-same-origin: If this token is not used, the resource is treated as being from a special origin that always fails the {{Glossary("same-origin policy")}} (potentially preventing access to data storage/cookies and some JavaScript APIs).
allow-scripts: Allows the page to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.
allow-storage-access-by-user-activation{{experimental_inline}}: Lets the resource request access to the parent's storage capabilities with the Storage Access API.
allow-top-navigation: Lets the resource navigate the top-level browsing context (the one named
_top).
allow-top-navigation-by-user-activation: Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.
allow-top-navigation-to-custom-protocols: Allows navigations to non-
httpprotocols built into browser or registered by a website. This feature is also activated byallow-popupsorallow-top-navigationkeyword.
Examples
Specifications
{{Specifications}}
Browser compatibility
{{Compat}}
See also
{{HTTPHeader("Content-Security-Policy")}}
{{htmlattrxref("sandbox", "iframe")}} attribute on {{HTMLElement("iframe")}} elements