Sandbox

The sandbox directive creates a restricted environment for the requested resource, similar to the sandbox attribute of an <iframe>. It implements security measures by imposing limitations on various page actions, such as blocking pop-ups, disabling plugin and script execution, and enforcing a same-origin policy.

Important The sandbox directive is not available when implementing CSP via meta tags. It must be delivered via HTTP header. See our CSP Implementation Methods article for more details.

Tips & Tricks

  • You can selectively enable specific features by including their values in the sandbox directive.
  • ⚠️ Be cautious when using this directive as it can significantly impact the functionality of your web application.

Available Values

Here are all the available sandbox values you can use:
  • allow-downloads-without-user-activation: Enables downloads to occur without user interaction
  • allow-forms: Permits form submission within the sandboxed content
  • allow-modals: Enables the opening of modal windows in the sandboxed environment
  • allow-orientation-lock: Allows the sandboxed content to disable screen orientation locking
  • allow-pointer-lock: Grants access to the Pointer Lock API within the sandbox
  • allow-popups: Enables the creation of popups from the sandboxed content
  • allow-popups-to-escape-sandbox: Permits popups to open without inheriting sandbox restrictions
  • allow-presentation: Allows control over presentation session initiation in sandboxed iframes
  • allow-same-origin: Enables the content to maintain its original origin within the sandbox
  • allow-scripts: Permits script execution within the sandboxed environment
  • allow-storage-access-by-user-activation: Allows the sandboxed content to request access to parent's storage via the Storage Access API
  • allow-top-navigation: Enables navigation to the top-level browsing context from the sandbox
  • allow-top-navigation-by-user-activation: Permits top-level navigation only when triggered by user interaction