sandbox
sandbox
sandbox
The sandbox directive creates a restricted environment for the requested resource, akin to the sandbox attribute of an <iframe>. It imposes limitations on various page actions, such as blocking pop-ups, disabling plugin and script execution, and implementing a same-origin policy.
Tips & Tricks
You can selectively enable specific features by including their values in the sandbox directive.
Be cautious when using this directive as it can significantly impact the functionality of your web application.
Available Values
allow-downloads-without-user-activation
Enables downloads to occur without user interaction
Enables downloads to occur without user interaction
allow-forms
Permits form submission within the sandboxed content
Permits form submission within the sandboxed content
allow-modals
Enables the opening of modal windows in the sandboxed environment
Enables the opening of modal windows in the sandboxed environment
allow-orientation-lock
Allows the sandboxed content to disable screen orientation locking
Allows the sandboxed content to disable screen orientation locking
allow-pointer-lock
Grants access to the Pointer Lock API within the sandbox
Grants access to the Pointer Lock API within the sandbox
allow-popups
Enables the creation of popups from the sandboxed content
Enables the creation of popups from the sandboxed content
allow-popups-to-escape-sandbox
Permits popups to open without inheriting sandbox restrictions
Permits popups to open without inheriting sandbox restrictions
allow-presentation
Allows control over presentation session initiation in sandboxed iframes
Allows control over presentation session initiation in sandboxed iframes
allow-same-origin
Enables the content to maintain its original origin within the sandbox
Enables the content to maintain its original origin within the sandbox
allow-scripts
Permits script execution within the sandboxed environment
Permits script execution within the sandboxed environment
allow-storage-access-by-user-activation
Allows the sandboxed content to request access to parent's storage via the Storage Access API
Allows the sandboxed content to request access to parent's storage via the Storage Access API
allow-top-navigation
Enables navigation to the top-level browsing context from the sandbox
Enables navigation to the top-level browsing context from the sandbox
allow-top-navigation-by-user-activation
Permits top-level navigation only when triggered by user interaction
Permits top-level navigation only when triggered by user interaction
Frequently Asked Questions
What is the sandbox directive used for?
The sandbox directive enables a sandbox for the requested resource similar to the iframe sandbox attribute. It restricts potentially dangerous features like popups, plugins, scripts, and form submission. This helps create a secure environment for untrusted content.
Security Note
Be careful when allowing sandbox permissions - only enable the minimum features required for your use case.
What values can be used with the sandbox directive?
The sandbox directive can be empty to apply all restrictions, or include specific permissions like 'allow-scripts', 'allow-forms', 'allow-popups', 'allow-same-origin', etc. Multiple values can be combined to grant specific permissions while maintaining other restrictions.
Usage Example
sandbox allow-scripts allow-forms - Allows JavaScript execution and form submission while maintaining other restrictions.
How does sandbox differ from iframe sandboxing?
While iframe sandboxing applies only to individual iframes, the CSP sandbox directive applies restrictions to the entire document and all its resources. The available values and restrictions are similar, but the CSP directive provides document-wide protection.
Best Practice
Consider using both CSP sandbox and iframe sandbox attributes for defense in depth when dealing with untrusted content.
Need to monitor CSP violations and maintain it easily?
Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.
Set up your endpoint now