---
title: 'CSP: sandbox'
slug: Web/HTTP/Headers/Content-Security-Policy/sandbox
tags:
  - CSP
  - XSS防御
  - http头
  - 安全
translation_of: Web/HTTP/Headers/Content-Security-Policy/sandbox
---
<div>{{HTTPSidebar}}</div>

<p>The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) <code><strong>sandbox</strong></code> directive enables a sandbox for the requested resource similar to the {{HTMLElement("iframe")}} {{htmlattrxref("sandbox", "iframe")}} attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.</p>

<table class="properties">
 <tbody>
  <tr>
   <th scope="row">CSP version</th>
   <td>1.1 / 2</td>
  </tr>
  <tr>
   <th scope="row">Directive type</th>
   <td>{{Glossary("Document directive")}}</td>
  </tr>
  <tr>
   <th colspan="2" scope="row">This directive is not supported in the {{HTMLElement("meta")}} element or by the {{HTTPHeader("Content-Security-policy-Report-Only")}} header field.</th>
  </tr>
 </tbody>
</table>

<h2 id="句法"><font><font>句法</font></font></h2>

<pre class="syntaxbox">Content-Security-Policy: sandbox;
Content-Security-Policy: sandbox &lt;value&gt;;
</pre>

<p><code>&lt;value&gt;</code><font><font>可以选择是以下值之一：</font></font></p>

<dl>
 <dt><code>allow-forms</code></dt>
 <dd><font><font>允许嵌入式浏览上下文提交表单。</font><font>如果未使用此关键字，则不允许此操作。</font></font></dd>
 <dt><code>allow-modals</code></dt>
 <dd><font><font>允许嵌入式浏览上下文打开模态窗口。</font></font></dd>
 <dt><code>allow-orientation-lock</code></dt>
 <dd>允许嵌入式浏览上下文禁用锁定屏幕方向的功能。</dd>
 <dt><code>allow-pointer-lock</code></dt>
 <dd><font><font>允许嵌入式浏览上下文使用</font></font><a href="https://developer.mozilla.org/en-US/docs/WebAPI/Pointer_Lock"><font><font>Pointer Lock API</font></font></a><font><font>。</font></font></dd>
 <dt><code>allow-popups</code></dt>
 <dd><font><font>允许弹出窗口（像</font></font><code>window.open</code><font><font>，</font></font><code>target="_blank"</code><font><font>，</font></font><code>showModalDialog</code><font><font>）。</font><font>如果未使用此关键字，则该功能将无提示失败。</font></font></dd>
 <dt><code>allow-popups-to-escape-sandbox</code></dt>
 <dd><font>允许沙盒文档打开新窗口而不强制沙盒标记。</font><font>例如，这将允许安全地沙箱化第三方广告，而不会对登陆页面施加相同的限制。</font></dd>
 <dt><code>allow-presentation</code></dt>
 <dd><font><font>允许嵌入器控制iframe是否可以启动演示会话。</font></font></dd>
 <dt><code>allow-same-origin</code></dt>
 <dd><font>允许将内容视为来自其正常来源。</font><font>如果未使用此关键字，则嵌入的内容将被视为来自唯一来源。</font></dd>
 <dt><code>allow-scripts</code></dt>
 <dd><font>允许嵌入式浏览上下文运行脚本（但不创建弹出窗口）。</font><font>如果未使用此关键字，则不允许此操作。</font></dd>
 <dt><code>allow-top-navigation</code></dt>
 <dd><font>允许嵌入式浏览上下文将内容导航（加载）到顶级浏览上下文。</font><font>如果未使用此关键字，则不允许此操作。</font></dd>
</dl>

<h2 id="例子"><font><font>例子</font></font></h2>

<pre class="brush: bash">Content-Security-Policy: sandbox allow-scripts;</pre>

<h2 id="Specifications">Specifications</h2>

<table class="standard-table">
 <tbody>
  <tr>
   <th scope="col">Specification</th>
   <th scope="col">Status</th>
   <th scope="col">Comment</th>
  </tr>
  <tr>
   <td>{{specName("CSP 3.0", "#directive-sandbox", "sandbox")}}</td>
   <td>{{Spec2('CSP 3.0')}}</td>
   <td>No changes.</td>
  </tr>
  <tr>
   <td>{{specName("CSP 1.1", "#directive-sandbox", "sandbox")}}</td>
   <td>{{Spec2('CSP 1.1')}}</td>
   <td>Initial definition.</td>
  </tr>
 </tbody>
</table>

<h2 id="浏览器兼容性"><font><font>浏览器兼容性</font></font></h2>

<p>{{Compat("http.headers.csp.sandbox")}}</p>

<h2 id="See_also">See also</h2>

<ul>
 <li>{{HTTPHeader("Content-Security-Policy")}}</li>
 <li>{{htmlattrxref("sandbox", "iframe")}} attribute on {{HTMLElement("iframe")}} elements</li>
</ul>