Baseline Widely available
The HTTP Content-Security-Policy (CSP) sandbox directive enables a sandbox for the requested resource similar to the <iframe> sandbox attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.
Content-Security-Policy: sandbox;
Content-Security-Policy: sandbox <value>;
where <value> can optionally be one of the following values:
allow-downloads
Allows downloading files through an <a> or <area> element with the download attribute, as well as through the navigation that leads to a download of a file. This works regardless of whether the user clicked on the link, or JS code initiated it without user interaction.
allow-forms
Allows the page to submit forms. If this keyword is not used, form will be displayed as normal, but submitting it will not trigger input validation, sending data to a web server or closing a dialog.
allow-modals
Allows the page to open modal windows by Window.alert(), Window.confirm(), Window.print() and Window.prompt(), while opening a <dialog> is allowed regardless of this keyword. It also allows the page to receive BeforeUnloadEvent event.
allow-orientation-lock
Lets the resource lock the screen orientation.
allow-pointer-lock
Allows the page to use the Pointer Lock API.
Allows popups (created, for example, by Window.open() or target="_blank"). If this keyword is not used, popup display will silently fail.
allow-popups-to-escape-sandbox
Allows a sandboxed document to open new windows without forcing the sandboxing flags upon them. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon the page the ad links to.
allow-presentation
Allows embedders to have control over whether an iframe can start a presentation session.
allow-same-origin
If this token is not used, the resource is treated as being from a special origin that always fails the same-origin policy (potentially preventing access to data storage/cookies and some JavaScript APIs).
allow-scripts
Allows the page to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.
allow-storage-access-by-user-activation Experimental
Lets the resource request access to the parent's storage capabilities with the Storage Access API.
allow-top-navigation
Lets the resource navigate the top-level browsing context (the one named _top).
allow-top-navigation-by-user-activation
Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.
allow-top-navigation-to-custom-protocols
Allows navigations to non-http protocols built into browser or registered by a website. This feature is also activated by allow-popups or allow-top-navigation keyword.
Note: The allow-top-navigation and related values only make sense for embedded documents (such as child iframes). For standalone documents, these values have no effect, as the top-level browsing context is the document itself.
Content-Security-Policy: sandbox allow-scripts;
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4