Dofactory.com
Dofactory.com
Earn income with your HTML skills
Sign up and we'll send you the best freelance opportunities straight to your inbox.
We're building the largest freelancing marketplace for people like you.
By adding your name & email you agree to our terms, privacy and cookie policies.

HTML <iframe> sandbox Attribute

The sandbox attribute on a <iframe> tag adds different restrictions to the content of the iframe.

These restrictions improve security, but they also restrict the iframe content‘s functionality.

Example

#

A sandbox attribute on a <iframe> element. The attribute prevents JavaScript from executing. Without sandbox an alert box would display.

<iframe srcdoc="<script>alert('Script is disabled!')</script>"
        height="30" sandbox>
</iframe>

Using sandbox

The sandbox attribute adds a group of restriction to the <iframe> element's content, like so:

  • prevents form submission
  • disabled all script
  • disable APIs
  • display content as if it's from unique origin
  • disabled links from targeting new tab or window
  • prevents content to navigate to the iframe's page
  • disable automatic triggered events (e.g. playing video or audio, focusing elements at load)

Certain sandbox restrictions can be lifted with one or more attribute values (see below).


Syntax

<iframe sandbox="allow-forms | allow-modals | 
     allow-orientation-lock | allow-pointer-lock | 
     allow-popups | allow-popups-to-escape-sandbox |
     allow-presentation | allow-same-origin | allow-scripts |
     allow-top-navigation | allow-top-navigation-by-user-activation" />

Note: These sandbox values remove certain restrictions. If not specified, all restrictions will be applied. To remove all restrictions the sandbox attribute itself should be removed.

Values

#

Value Description
empty or no value set Implements all restrictions.
allow-forms Allows form to be submitted.
allow-modals Allows opening of modals.
allow-orientation-lock Allows screen orientation to be locked.
allow-pointer-lock Allows pointer lock API.
allow-popups Allow popups.
allow-popups-to-escape-sandbox Allow popup to open in new tab or window.
allow-presentation Allow a presentation to be started.
allow-same-origin Allows frame content to be treated as same origin.
allow-scripts Enables script to execute.
allow-top-navigation Allows frame content to navigate on the frame's page.
allow-top-navigation-by-user-activation Allows content to be opened in new tab or window -- if allowed by the user.

Browser support

Here is when sandbox support started for each browser:

Chrome
4.0 Jan 2010
Firefox
17.0 Nov 2012
IE/Edge
10.0 Sep 2012
Opera
15.0 May 2013
Safari
5.0 Jun 2010

You may also like

 Back to <iframe>

Last updated on Sep 30, 2023

Earn income with your HTML skills
Sign up and we'll send you the best freelance opportunities straight to your inbox.
We're building the largest freelancing marketplace for people like you.
By adding your name & email you agree to our terms, privacy and cookie policies.

Guides