sandbox
Content-Security-Policy Document

Overview

sandbox applies restrictions like an iframe's sandbox attribute to the whole document, isolating and limiting page capabilities. It blocks scripts, form submission, popups, and top-level navigation by default, re-enabling only what you specify via allow-* tokens. This directive does NOT fall back to default-src.

Details

Specifying sandbox with no value applies maximum restriction: scripts don't run, forms can't submit, and the page is placed in an opaque origin, cutting off its own storage and cookies. You add tokens as needed: allow-scripts (run JS), allow-forms (submit forms), allow-same-origin (keep the original origin — without it the page is isolated), allow-popups (new windows), allow-popups-to-escape-sandbox, allow-top-navigation, allow-modals, allow-downloads, allow-pointer-lock, allow-presentation, and more.

Caution: granting both allow-scripts and allow-same-origin lets sandboxed scripts run in their own-origin context and remove the parent frame's CSP or sandbox attribute, effectively defeating isolation. Avoid that combination when isolating untrusted content. sandbox is powerful but broadly disables site functionality, so apply it carefully to special paths hosting user-generated content or third-party widgets.

Syntax

Content-Security-Policy: sandbox allow-scripts allow-forms

Notes

Related directives