Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP sandbox lists iframe directives #33334

Open
Sjord opened this issue Apr 30, 2024 · 2 comments
Open

CSP sandbox lists iframe directives #33334

Sjord opened this issue Apr 30, 2024 · 2 comments
Labels
Content:HTTP HTTP docs help wanted If you know something about this topic, we would love your help!

Comments

@Sjord
Copy link
Contributor

Sjord commented Apr 30, 2024

MDN URL

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox

What specific section or headline is this issue about?

Syntax

What information was incorrect, unhelpful, or incomplete?

Some of the sandbox directives are only implemented for iframes, not for CSP.

What did you expect to see?

A list of directives such as allow-modals, allow-scripts, but not allow-top-navigation.

Do you have any supporting links, references, or citations?

No response

Do you have anything more you want to share?

No response

MDN metadata

Page report details
@Sjord Sjord added the needs triage Triage needed by staff and/or partners. Automatically applied when an issue is opened. label Apr 30, 2024
@github-actions github-actions bot added the Content:HTTP HTTP docs label Apr 30, 2024
@Sjord
Copy link
Contributor Author

Sjord commented Apr 30, 2024
edited

  • allow-downloads works in Firefox and Chrome for actual downloads, regardless of download attribute.
  • allow-downloads-without-user-activation does not work in Firefox or Chrome. When allow-downloads is set, downloads without user activation are also permitted.
  • allow-forms works in Firefox and Chrome.
  • allow-modals works in Firefox and Chrome.
  • allow-orientation-lock, works at least in Chrome.
  • allow-pointer-lock works in Firefox and Chrome.
  • allow-popups works in Firefox and Chrome.
  • allow-popups-to-escape-sandbox works in Firefox and Chrome.
  • allow-presentation works in Chrome.
  • allow-same-origin works in Firefox and Chrome.
  • allow-scripts works in Firefox and Chrome.
  • allow-storage-access-by-user-activation only seems applicable to iframes.
  • allow-top-navigation works, but only for child iframes. So it does not apply to links in the sandboxed pages, only to iframes with links on the sandboxed page.
  • allow-top-navigation-by-user-activation works, but only for child iframes.
  • allow-top-navigation-to-custom-protocols works, but only for child iframes.

@Sjord Sjord mentioned this issue May 4, 2024
Merged
@Sjord
Copy link
Contributor Author

Sjord commented May 4, 2024

So allow-top-navigation in the CSP header does do something, just not in the document but only in child iframes. So it should be documented on this page, but the description should be improved.

@Josh-Cena Josh-Cena changed the title CSP sandbox lists non-existing directives CSP sandbox lists iframe directives Jun 5, 2024
@Josh-Cena Josh-Cena added help wanted If you know something about this topic, we would love your help! and removed needs triage Triage needed by staff and/or partners. Automatically applied when an issue is opened. labels Jun 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Content:HTTP HTTP docs help wanted If you know something about this topic, we would love your help!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Sjord @Josh-Cena