sandboxsandbox applies restrictions like an iframe's sandbox attribute to the whole document, isolating and limiting page capabilities. It blocks scripts, form submission, popups, and top-level navigation by default, re-enabling only what you specify via allow-* tokens. This directive does NOT fall back to default-src.
Specifying sandbox with no value applies maximum restriction: scripts don't run, forms can't submit, and the page is placed in an opaque origin, cutting off its own storage and cookies. You add tokens as needed: allow-scripts (run JS), allow-forms (submit forms), allow-same-origin (keep the original origin — without it the page is isolated), allow-popups (new windows), allow-popups-to-escape-sandbox, allow-top-navigation, allow-modals, allow-downloads, allow-pointer-lock, allow-presentation, and more.
Caution: granting both allow-scripts and allow-same-origin lets sandboxed scripts run in their own-origin context and remove the parent frame's CSP or sandbox attribute, effectively defeating isolation. Avoid that combination when isolating untrusted content. sandbox is powerful but broadly disables site functionality, so apply it carefully to special paths hosting user-generated content or third-party widgets.
Content-Security-Policy: sandbox allow-scripts allow-forms