CSP sandbox lists non-existing directives

[Sjord]

MDN URL

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox

What specific section or headline is this issue about?

Syntax

What information was incorrect, unhelpful, or incomplete?

Some of the sandbox directives are only implemented for iframes, not for CSP.

What did you expect to see?

A list of directives such as allow-modals, allow-scripts, but not allow-top-navigation.

Do you have any supporting links, references, or citations?

No response

Do you have anything more you want to share?

No response

MDN metadata

Page report details

* Folder: `en-us/web/http/headers/content-security-policy/sandbox` * MDN URL: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox * GitHub URL: https://github.com/mdn/content/blob/main/files/en-us/web/http/headers/content-security-policy/sandbox/index.md * Last commit: https://github.com/mdn/content/commit/0880a90f3811475d78bc4b2c344eb4146f25f66c * Document last modified: 2023-04-10T19:47:15.000Z

[Sjord]

• allow-downloads works in Firefox and Chrome for actual downloads, regardless of download attribute.
• allow-downloads-without-user-activation does not work in Firefox or Chrome. When allow-downloads is set, downloads without user activation are also permitted.
• allow-forms works in Firefox and Chrome.
• allow-modals works in Firefox and Chrome.
• allow-orientation-lock, works at least in Chrome.
• allow-pointer-lock works in Firefox and Chrome.
• allow-popups works in Firefox and Chrome.
• allow-popups-to-escape-sandbox works in Firefox and Chrome.
• allow-presentation works in Chrome.
• allow-same-origin works in Firefox and Chrome.
• allow-scripts works in Firefox and Chrome.
• allow-storage-access-by-user-activation only seems applicable to iframes.
• allow-top-navigation works, but only for child iframes. So it does not apply to links in the sandboxed pages, only to iframes with links on the sandboxed page.
• allow-top-navigation-by-user-activation works, but only for child iframes.
• allow-top-navigation-to-custom-protocols works, but only for child iframes.

[Sjord]

So allow-top-navigation in the CSP header does do something, just not in the document but only in child iframes. So it should be documented on this page, but the description should be improved.