CSP: sandbox - HTTP 编辑

The HTTP Content-Security-Policy (CSP) sandbox directive enables a sandbox for the requested resource similar to the <iframe> sandbox attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.

CSP version1.1 / 2
Directive typeDocument directive
This directive is not supported in the <meta> element or by the Content-Security-policy-Report-Only header field.

Syntax

Content-Security-Policy: sandbox;
Content-Security-Policy: sandbox <value>;

where <value> can optionally be one of the following values:

allow-downloads-without-user-activation This is an experimental API that should not be used in production code.
Allows for downloads to occur without a gesture from the user.
allow-forms
Allows the page to submit forms. If this keyword is not used, this operation is not allowed.
allow-modals
Allows the page to open modal windows.
allow-orientation-lock
Allows the page to disable the ability to lock the screen orientation.
allow-pointer-lock
Allows the page to use the Pointer Lock API.
allow-popups
Allows popups (like from window.open, target="_blank", showModalDialog). If this keyword is not used, that functionality will silently fail.
allow-popups-to-escape-sandbox
Allows a sandboxed document to open new windows without forcing the sandboxing flags upon them. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon a landing page.
allow-presentation
Allows embedders to have control over whether an iframe can start a presentation session.
allow-same-origin
Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin.
allow-scripts
Allows the page to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.
allow-storage-access-by-user-activation This is an experimental API that should not be used in production code.
Lets the resource request access to the parent's storage capabilities with the Storage Access API.
allow-top-navigation
Allows the page to navigate (load) content to the top-level browsing context. If this keyword is not used, this operation is not allowed.
allow-top-navigation-by-user-activation
Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.

Examples

Content-Security-Policy: sandbox allow-scripts;

Specifications

SpecificationStatusComment
Content Security Policy Level 3
The definition of 'sandbox' in that specification.
Working DraftNo changes.
Content Security Policy Level 2
The definition of 'sandbox' in that specification.
RecommendationInitial definition.

Browser compatibility

BCD tables only load in the browser

See also

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:86 次

字数:6598

最后编辑:7 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文