In this design, the content restrictions are based on the "sandbox" attribute of frames in HTML5. The design is secure by default and uses a white list.
An HTTP server can deliver a policy to the browser by including a header named X-Sandbox. The X-Sandbox header has the following syntax:
content-security-policy = "x-sandbox" ":" OWS directive-list OWS directive-list = directive [1*SP directive-list] directive = "allow-same-origin" / "allow-forms" / "allow-scripts"
The user agent MUST ignore any X-Sandbox header fields occurring in an HTML meta tag or in the Trailer headers.
The effective directive set is the set of directives that satisfy the following requirements:
- The directive MUST appear in every X-Sandbox header field associated with an HTTP response.
- If the HTTP response was generated as a result of loading an HTML frame element that contained a sandbox attribute, then the directive MUST appear in the value of the attribute.
The user agent MUST restrict the privileges of the document contained in the HTTP response as described by the sandbox attribute of the frame element, substituting the effective directive set for the value of the sandbox attribute.