You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
allow-downloads works in Firefox and Chrome for actual downloads, regardless of download attribute.
allow-downloads-without-user-activation does not work in Firefox or Chrome. When allow-downloads is set, downloads without user activation are also permitted.
allow-forms works in Firefox and Chrome.
allow-modals works in Firefox and Chrome.
allow-orientation-lock, works at least in Chrome.
allow-pointer-lock works in Firefox and Chrome.
allow-popups works in Firefox and Chrome.
allow-popups-to-escape-sandbox works in Firefox and Chrome.
allow-top-navigation works, but only for child iframes. So it does not apply to links in the sandboxed pages, only to iframes with links on the sandboxed page.
allow-top-navigation-by-user-activation works, but only for child iframes.
allow-top-navigation-to-custom-protocols works, but only for child iframes.
So allow-top-navigation in the CSP header does do something, just not in the document but only in child iframes. So it should be documented on this page, but the description should be improved.
Josh-Cena
changed the title
CSP sandbox lists non-existing directives
CSP sandbox lists iframe directives
Jun 5, 2024
Josh-Cena
added
help wanted
If you know something about this topic, we would love your help!
and removed
needs triage
Triage needed by staff and/or partners. Automatically applied when an issue is opened.
labels
Jun 5, 2024
MDN URL
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
What specific section or headline is this issue about?
Syntax
What information was incorrect, unhelpful, or incomplete?
Some of the sandbox directives are only implemented for iframes, not for CSP.
What did you expect to see?
A list of directives such as
allow-modals
,allow-scripts
, but notallow-top-navigation
.Do you have any supporting links, references, or citations?
No response
Do you have anything more you want to share?
No response
MDN metadata
Page report details
en-us/web/http/headers/content-security-policy/sandbox
The text was updated successfully, but these errors were encountered: