Content Security Policy (CSP)
Quick Reference Guide

The CSP sandbox Directive

The sandbox Content Security Policy (CSP) directive can be used to tell the browser to disable several features unless explicitly enabled.

Example Policy

Assume a Content-Security-Policy header is set with the following policy:

Content-Security-Policy: sandbox;

The sandbox directive would prevent the following from working:

The sandbox CSP directive is not the only way to block script execution. You can also use the script-src CSP directive to block JavaScript execution by setting it to: script-src 'none'

You can also block form submissions by using the form-action CSP directive. To block all forms you would use: form-action 'none';

Both form-action and script-src are quite a bit more flexible than using the sandbox because you can enable scripts or form actions on the same origin only, or from certain trusted sources only.

Sandbox flags

Meta Support

The sandbox CSP directive must be set via a HTTP response header. It is ignored when included in a meta tag.

Browser Support for sandbox

CSP Level 1

Supported On:

Chrome 25+ (2013)
Firefox 23+ (2013)
Safari 7+ (2013)

The CSP sandbox directive has been part of the Content Security Policy Specification since the first version of it (CSP Level 1). It is the only CSP feature that was supported in Internet Explorer 11 CSP implementation, via the now discouraged X-Content-Security-Policy header (don't use the X- prefix anymore).

CSP Developer Field Guide

CSP Developer Field Guide

Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.

Grab a Copy

Struggling to stay on top of security advisories?

Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.