content icon indicating copy to clipboard operation
content copied to clipboard
Published 1 week ago verified publisher icon mdn

CSP sandbox lists non-existing directives

Open Sjord opened this issue 1 year ago • 2 comments

MDN URL

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox

What specific section or headline is this issue about?

Syntax

What information was incorrect, unhelpful, or incomplete?

Some of the sandbox directives are only implemented for iframes, not for CSP.

What did you expect to see?

A list of directives such as allow-modals, allow-scripts, but not allow-top-navigation.

Do you have any supporting links, references, or citations?

No response

Do you have anything more you want to share?

No response

MDN metadata

Page report details
  • Folder: en-us/web/http/headers/content-security-policy/sandbox
  • MDN URL: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
  • GitHub URL: https://github.com/mdn/content/blob/main/files/en-us/web/http/headers/content-security-policy/sandbox/index.md
  • Last commit: https://github.com/mdn/content/commit/0880a90f3811475d78bc4b2c344eb4146f25f66c
  • Document last modified: 2023-04-10T19:47:15.000Z

Sjord avatar Apr 30 '24 16:04 Sjord

  • allow-downloads works in Firefox and Chrome for actual downloads, regardless of download attribute.
  • allow-downloads-without-user-activation does not work in Firefox or Chrome. When allow-downloads is set, downloads without user activation are also permitted.
  • allow-forms works in Firefox and Chrome.
  • allow-modals works in Firefox and Chrome.
  • allow-orientation-lock, works at least in Chrome.
  • allow-pointer-lock works in Firefox and Chrome.
  • allow-popups works in Firefox and Chrome.
  • allow-popups-to-escape-sandbox works in Firefox and Chrome.
  • allow-presentation works in Chrome.
  • allow-same-origin works in Firefox and Chrome.
  • allow-scripts works in Firefox and Chrome.
  • allow-storage-access-by-user-activation only seems applicable to iframes.
  • allow-top-navigation works, but only for child iframes. So it does not apply to links in the sandboxed pages, only to iframes with links on the sandboxed page.
  • allow-top-navigation-by-user-activation works, but only for child iframes.
  • allow-top-navigation-to-custom-protocols works, but only for child iframes.

Sjord avatar Apr 30 '24 18:04 Sjord

So allow-top-navigation in the CSP header does do something, just not in the document but only in child iframes. So it should be documented on this page, but the description should be improved.

Sjord avatar May 04 '24 09:05 Sjord