sandbox Content Security Policy (CSP) directive can be used to tell the browser to disable several features unless explicitly enabled.
Content-Security-Policy header is set with the following policy:
sandbox directive would prevent the following from working:
The sandbox CSP directive is not the only way to block script execution. You can also use the
You can also block form submissions by using the
form-action CSP directive. To block all forms you would use:
script-src are quite a bit more flexible than using the sandbox because you can enable scripts or form actions on the same origin only, or from certain trusted sources only.
allow-scripts: Permits script execution.
allow-forms: Permits form submission within the sandbox.
allow-modals: Allows creation of modal windows.
allow-orientation-lock: Permits locking screen orientation.
allow-pointer-lock: Allows obtaining a mouse pointer lock (
requestPointerLock()) which captures mouse events beyond the browser or screen boundaries.
allow-popups: Allows opening popup windows (
allow-popups-to-escape-sandbox: Allows popups to break out of the sandbox.
allow-presentation: Allows screen presentation features (
allow-top-navigation: Allows top-level navigation (
allow-downloads: Allows downloading files.
allow-same-origin: The sandboxed resource runs under a special context where the same origin policy check always fails unless this flag is present.
sandbox CSP directive must be set via a HTTP response header. It is ignored when included in a meta tag.
sandbox directive has been part of the Content Security Policy Specification since the first version of it (CSP Level 1). It is the only CSP feature that was supported in Internet Explorer 11 CSP implementation, via the now discouraged
X-Content-Security-Policy header (don't use the
X- prefix anymore).
Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.