Sandbox
The sandbox directive creates a restricted environment for the requested resource, similar to the sandbox attribute of an<iframe>
. It implements security measures by imposing limitations on various page actions, such as blocking pop-ups, disabling plugin and script execution, and enforcing a same-origin policy.
Important The sandbox
directive is not available when implementing CSP via meta tags. It must be delivered via HTTP header. See our CSP Implementation Methods article for more details.
Tips & Tricks
- You can selectively enable specific features by including their values in the sandbox directive.
- ⚠️ Be cautious when using this directive as it can significantly impact the functionality of your web application.
Available Values
Here are all the available sandbox values you can use:allow-downloads-without-user-activation
: Enables downloads to occur without user interactionallow-forms
: Permits form submission within the sandboxed contentallow-modals
: Enables the opening of modal windows in the sandboxed environmentallow-orientation-lock
: Allows the sandboxed content to disable screen orientation lockingallow-pointer-lock
: Grants access to the Pointer Lock API within the sandboxallow-popups
: Enables the creation of popups from the sandboxed contentallow-popups-to-escape-sandbox
: Permits popups to open without inheriting sandbox restrictionsallow-presentation
: Allows control over presentation session initiation in sandboxed iframesallow-same-origin
: Enables the content to maintain its original origin within the sandboxallow-scripts
: Permits script execution within the sandboxed environmentallow-storage-access-by-user-activation
: Allows the sandboxed content to request access to parent's storage via the Storage Access APIallow-top-navigation
: Enables navigation to the top-level browsing context from the sandboxallow-top-navigation-by-user-activation
: Permits top-level navigation only when triggered by user interaction