The sandbox
attribute on a <iframe> tag adds different restrictions to the content of the iframe.
These restrictions improve security, but they also restrict the iframe content‘s functionality.
A sandbox
attribute on a <iframe> element.
The attribute prevents JavaScript from executing. Without sandbox
an alert box would display.
<iframe srcdoc="<script>alert('Script is disabled!')</script>"
height="30" sandbox>
</iframe>
The sandbox
attribute adds a group of restriction to the <iframe> element's content, like so:
Certain sandbox
restrictions can be lifted with one or more attribute values (see below).
<iframe sandbox="allow-forms | allow-modals | allow-orientation-lock | allow-pointer-lock | allow-popups | allow-popups-to-escape-sandbox | allow-presentation | allow-same-origin | allow-scripts | allow-top-navigation | allow-top-navigation-by-user-activation" />
Note: These sandbox
values remove certain restrictions. If not specified, all restrictions will be applied.
To remove all restrictions the sandbox
attribute itself should be removed.
Value | Description |
---|---|
empty or no value set | Implements all restrictions. |
allow-forms | Allows form to be submitted. |
allow-modals | Allows opening of modals. |
allow-orientation-lock | Allows screen orientation to be locked. |
allow-pointer-lock | Allows pointer lock API. |
allow-popups | Allow popups. |
allow-popups-to-escape-sandbox | Allow popup to open in new tab or window. |
allow-presentation | Allow a presentation to be started. |
allow-same-origin | Allows frame content to be treated as same origin. |
allow-scripts | Enables script to execute. |
allow-top-navigation | Allows frame content to navigate on the frame's page. |
allow-top-navigation-by-user-activation | Allows content to be opened in new tab or window -- if allowed by the user. |
Here is when sandbox
support started for each browser:
Chrome
|
4.0 | Jan 2010 |
Firefox
|
17.0 | Nov 2012 |
IE/Edge
|
10.0 | Sep 2012 |
Opera
|
15.0 | May 2013 |
Safari
|
5.0 | Jun 2010 |