HTML <iframe> sandbox Attribute

The sandbox attribute on a <iframe> tag adds a large number of restrictions to the content of the iframe. These restrictions improve security, but they also restrict the iframe content‘s functionality.

Example

#

A sandbox attribute on a <iframe> element.
The attribute prevents JavaScript from executing. Without sandbox an alert box would display.

<iframe srcdoc="<script>alert('Script is disabled!')</script>"
        height="30" sandbox>
</iframe>

Using sandbox

The sandbox attribute adds a group of restriction to the <iframe> element's content, like so:

  • prevents form submission
  • disabled all script
  • disable APIs
  • display content as if it's from unique origin
  • disabled links from targeting new tab or window
  • prevents content to navigate to the iframe's page
  • disable automatic triggered events (e.g. playing video or audio, focusing elements at load)

Certain sandbox restrictions can be lifted with one or more attribute values (see below).


Syntax

<iframe sandbox="allow-forms | allow-modals | allow-orientation-lock | 
                 allow-pointer-lock | allow-popups | allow-popups-to-escape-sandbox |
                 allow-presentation | allow-same-origin | allow-scripts |
                 allow-top-navigation | allow-top-navigation-by-user-activation" />

Note: These sandbox values remove certain restrictions. If not specified, all restrictions will be applied. To remove all restrictions the sandbox attribute itself should be removed.

Values

#

Value Description
empty or no value set Implements all restrictions.
allow-forms Allows form to be submitted.
allow-modals Allows opening of modals.
allow-orientation-lock Allows screen orientation to be locked.
allow-pointer-lock Allows pointer lock API.
allow-popups Allow popups.
allow-popups-to-escape-sandbox Allow popup to open in new tab or window.
allow-presentation Allow a presentation to be started.
allow-same-origin Allows frame content to be treated as same origin.
allow-scripts Enables script to execute.
allow-top-navigation Allows frame content to navigate on the frame's page.
allow-top-navigation-by-user-activation Allows content to be opened in new tab or window -- if allowed by the user.

Browser support

Here is when sandbox support started for each browser:

Chrome
4.0 Jan 2010
Firefox
17.0 Nov 2012
IE/Edge
10.0 Sep 2012
Opera
15.0 May 2013
Safari
5.0 Jun 2010

You may also like

 Back to <iframe>
Guides