Other
The other directives are used to control the resources that can be loaded by the browser. Learn more about the other directives that can be used in the Content-Security-Policy.
sandbox
sandbox
The sandbox directive creates a restricted environment for the requested resource, akin to the sandbox attribute of an <iframe>. It imposes limitations on various page actions, such as blocking pop-ups, disabling plugin and script execution, and implementing a same-origin policy.
Tips & Tricks
You can selectively enable specific features by including their values in the sandbox directive.
Be cautious when using this directive as it can significantly impact the functionality of your web application.
Available Values
allow-downloads-without-user-activation
Enables downloads to occur without user interaction
Enables downloads to occur without user interaction
allow-forms
Permits form submission within the sandboxed content
Permits form submission within the sandboxed content
allow-modals
Enables the opening of modal windows in the sandboxed environment
Enables the opening of modal windows in the sandboxed environment
allow-orientation-lock
Allows the sandboxed content to disable screen orientation locking
Allows the sandboxed content to disable screen orientation locking
allow-pointer-lock
Grants access to the Pointer Lock API within the sandbox
Grants access to the Pointer Lock API within the sandbox
allow-popups
Enables the creation of popups from the sandboxed content
Enables the creation of popups from the sandboxed content
allow-popups-to-escape-sandbox
Permits popups to open without inheriting sandbox restrictions
Permits popups to open without inheriting sandbox restrictions
allow-presentation
Allows control over presentation session initiation in sandboxed iframes
Allows control over presentation session initiation in sandboxed iframes
allow-same-origin
Enables the content to maintain its original origin within the sandbox
Enables the content to maintain its original origin within the sandbox
allow-scripts
Permits script execution within the sandboxed environment
Permits script execution within the sandboxed environment
allow-storage-access-by-user-activation
Allows the sandboxed content to request access to parent's storage via the Storage Access API
Allows the sandboxed content to request access to parent's storage via the Storage Access API
allow-top-navigation
Enables navigation to the top-level browsing context from the sandbox
Enables navigation to the top-level browsing context from the sandbox
allow-top-navigation-by-user-activation
Permits top-level navigation only when triggered by user interaction
Permits top-level navigation only when triggered by user interaction
base-uri
base-uri
The base-uri directive restricts the URLs which can be used in a document's <base> element. If this value is absent, then any URI is allowed. If this directive is absent, the user agent will use the value in the <base> element.
Recommended Values
'self'
Restricts base URLs to the same origin as the document
Restricts base URLs to the same origin as the document
Explore detailed value definitions
Tips & Tricks
unsafe-inline & strict-dynamic does not apply to base-uri
If not specified, any URI can be used in the <base> element, which could potentially be exploited.
Examples
Restricts <base> element to same origin
Content-Security-Policy: base-uri 'self';Allowed
<base href="https://mywebsite.com/">Blocked
<base href="https://otherwebsite.com/">
form-action
form-action
The form-action directive restricts the URLs that can be used as the target of form submissions from a given context. This directive helps prevent Cross-Site Request Forgery (CSRF) attacks by limiting where forms can be submitted to.
Recommended Values
'self'
Restricts form submissions to the same origin as the document
Restricts form submissions to the same origin as the document
Explore detailed value definitions
Tips & Tricks
If not specified, form submissions to any URL are allowed, which could potentially be exploited.
Examples
Restricts form submissions to same origin
Content-Security-Policy: form-action 'self';Allowed
<form action="/submit" id="form1" method="post"> <input type="text" name="fieldName" value="fieldValue"> <input type="submit" id="submit" value="submit"> </form>Blocked
<form action='https://malicious.website.com/submit'> <input type="text" name="username" value="user123"> <input type="password" name="password" value="secretpass"> <input type="submit" value="Login"> </form>
frame-ancestors
frame-ancestors
The frame-ancestors directive specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>. This directive helps prevent clickjacking attacks by ensuring that your content is only embedded on trusted sites.
Recommended Values
'none'
Prevents any domain from framing the content
Prevents any domain from framing the content
'self'
Allows embedding only from the same origin
Allows embedding only from the same origin
Explore detailed value definitions
Tips & Tricks
The frame-ancestors directive supersedes the older X-Frame-Options header for modern browsers that support CSP.
If X-Frame-Options is also present, the browser will use the frame-ancestors directive as it's more specific and overrides X-Frame-Options.
The frame-ancestors directive does not apply to the <frame> element.
The frame-ancestors does not fall back to default-src
Examples
Allow embedding only from the same origin
Content-Security-Policy: frame-ancestors 'self' https://trusted-site.com ;Allowed
<iframe src='https://trusted-site.com/page'></iframe>Blocked
<iframe src='https://malicious-site.com/page'></iframe>
require-trusted-types-for
require-trusted-types-for
This directive instructs user agents to control the data passed to DOM XSS sink functions, like Element.innerHTML setter.
Recommended Values
'script'
Enforces Trusted Types for script execution contexts
Enforces Trusted Types for script execution contexts
Explore detailed value definitions
Tips & Tricks
This directive helps mitigate DOM-based XSS attacks by ensuring that only trusted, typed values are used in sensitive DOM APIs.
This is an experimental technology. Check browser compatibility before using in production.
Examples
Requires Trusted Types for all script execution contexts and defines a policy named 'foo'
Content-Security-Policy: require-trusted-types-for 'script'; trusted-types foo;Allowed
const sanitizer = trustedTypes.createPolicy("foo", { createHTML: (input) => DOMPurify.sanitize(input), }); el.innerHTML = sanitizer.createHTML(attackerInput); // Puts the sanitized value into the DOM.Blocked
el.innerHTML = attackerInput; // Rejects a string value; throws a TypeError.
referrer
referrer
This directive specifies the referrer policy for the document.
Tips & Tricks
The referrer directive is deprecated and replaced by the referrer-policy header. The referrer directive have been removed in modern browsers.