Content-Security-Policy: sandbox specification

Author: snuggs

middleware/policy.es

@@ -61,6 +61,21 @@ const
     // default-src fallback
     = Array.from (defaults)
 
+, sandboxes // base-uri
+    // default-src fallback
+    = [/*
+      allow-forms
+    , allow-popups
+    , allow-modals
+    , allow-scripts
+    , allow-same-origin
+    , allow-presentation
+    , allow-pointer-lock
+    , allow-top-navigation
+    , allow-orientation-lock
+    , allow-popups-to-escape-sandbox
+    */]
+
 
 , directives = [
   // Reporting directives
@@ -80,7 +95,10 @@ const
 
 // Document directives
   , `base-uri ${ bases.join ` ` }`
-//  , `sandbox ${ sandboxes.join ` ` }`
+  //  `sandbox  ...` is not supported in the <meta> element
+  //  or by the Content-Security-policy-Report-Only header field.
+  //  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
+  , `sandbox ${ sandboxes.join ` ` }`
 //  , `plugin-types ${ plugins.join ` ` }`
 
 //  Navigation Directives

middleware/policy.test

@@ -248,6 +248,24 @@ test ("Content-Security-Policy: base-uri", async t => {
 })
 
 
+test ("Content-Security-Policy: sandbox", async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , response = await
+      fetch ('http://localhost:8181/')
+
+  , policy = response.headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`sandbox`) )
+
+  server.close ``
+  t.end ()
+})
+
+
 test ("Content-Security-Policy: block-all-mixed-content", async t => {
 
   const