HTML <iframe> sandbox attribute
Definition and usage
sandbox
The attribute enables a set of additional restrictions for the content within the iframe.
When sandbox
When the attribute exists, it will:
- Treat content as coming from a unique source
- Prevent form submission
- Prevent script execution
- Disable API
- Prevent links from pointing to other browsing contexts
- Prevent content from using plugins (through <embed>, <object>, <applet>, or other means)
- Prevent content from navigating its top-level browsing context
- Prevent automatic triggering of features (such as automatic video playback or automatic focus on form controls)
sandbox
The value of the attribute can be empty (in which case all restrictions are applied), or a list of predefined values separated by spaces, which will remove specific restrictions.
Instance
Example 1
<iframe> with additional restrictions:
<iframe src="demo_iframe_sandbox.htm" sandbox></iframe>
Example 2
Allow form submissions in <iframe> sandbox:
<iframe src="demo_iframe_sandbox_form.htm" sandbox="allow-forms"></iframe>
Example 3
Allow script execution in <iframe> sandbox:
<iframe src="demo_iframe_sandbox_origin.htm" sandbox="allow-scripts"></iframe>
Syntax
<iframe sandbox="value">
Attribute value
Value | Description |
---|---|
"" (no value) | Apply all the following restrictions. |
allow-forms | Allow form submissions. |
allow-modals | Allow modal windows to be opened. |
allow-orientation-lock | Allow screen rotation to be locked. |
allow-pointer-lock | Allows the use of Pointer Lock API. |
allow-popups | Allows pop-up windows. |
allow-popups-to-escape-sandbox | Allows pop-up windows to open new windows without inheriting sandboxing. |
allow-presentation | Allows starting a presentation session. |
allow-same-origin | Allows iframe content to be considered as having the same origin as the containing document. |
allow-scripts | Allows running scripts. |
allow-top-navigation | Allows iframe content to navigate its top-level browsing context. |
allow-top-navigation-by-user-activation | Allows iframe content to navigate its top-level browsing context, but only when initiated by the user. |
Browser Support
The numbers in the table indicate the first browser version to fully support this attribute.
Chrome | Edge | Firefox | Safari | Opera |
---|---|---|---|---|
Chrome | Edge | Firefox | Safari | Opera |
4.0 | 10.0 | 17.0 | 5.0 | 15.0 |