Content Security Policy (CSP)
Quick Reference Guide
The CSP sandbox Directive
sandbox Content Security Policy (CSP) directive can be used to tell the browser to disable several features unless explicitly enabled.Example Policy
Assume a Content-Security-Policy header is set with the following policy:
Content-Security-Policy: sandbox;
The sandbox directive would prevent the following from working:
- JavaScript Execution
- Form Submissions
- Popups
- Downloads
- And more - see the sandbox flags for details
The sandbox CSP directive is not the only way to block script execution. You can also use the script-src CSP directive to block JavaScript execution by setting it to: script-src 'none'
You can also block form submissions by using the form-action CSP directive. To block all forms you would use: form-action 'none';
Both form-action and script-src are quite a bit more flexible than using the sandbox because you can enable scripts or form actions on the same origin only, or from certain trusted sources only.
Sandbox flags
allow-scripts: Permits script execution.allow-forms: Permits form submission within the sandbox.allow-modals: Allows creation of modal windows.allow-orientation-lock: Permits locking screen orientation.allow-pointer-lock: Allows obtaining a mouse pointer lock (requestPointerLock()) which captures mouse events beyond the browser or screen boundaries.allow-popups: Allows opening popup windows (window.open(),window.showModalDialog, ortarget="_blank").allow-popups-to-escape-sandbox: Allows popups to break out of the sandbox.allow-presentation: Allows screen presentation features (PresentationRequest).allow-top-navigation: Allows top-level navigation (_top).allow-downloads: Allows downloading files.allow-same-origin: The sandboxed resource runs under a special context where the same origin policy check always fails unless this flag is present.
Meta Support
The sandbox CSP directive must be set via a HTTP response header. It is ignored when included in a meta tag.
Browser Support for sandbox
Supported On:
The CSP sandbox directive has been part of the Content Security Policy Specification since the first version of it (CSP Level 1). It is the only CSP feature that was supported in Internet Explorer 11 CSP implementation, via the now discouraged X-Content-Security-Policy header (don't use the X- prefix anymore).
CSP Developer Field Guide
Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.
Grab a CopyStruggling to stay on top of security advisories?
Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.