HTML <iframe> sandbox attribute

Definition and usage

sandbox The attribute enables a set of additional restrictions for the content within the iframe.

When sandbox When the attribute exists, it will:

  • Treat content as coming from a unique source
  • Prevent form submission
  • Prevent script execution
  • Disable API
  • Prevent links from pointing to other browsing contexts
  • Prevent content from using plugins (through <embed>, <object>, <applet>, or other means)
  • Prevent content from navigating its top-level browsing context
  • Prevent automatic triggering of features (such as automatic video playback or automatic focus on form controls)

sandbox The value of the attribute can be empty (in which case all restrictions are applied), or a list of predefined values separated by spaces, which will remove specific restrictions.

Instance

Example 1

<iframe> with additional restrictions:

<iframe src="demo_iframe_sandbox.htm" sandbox></iframe>

Try it yourself

Example 2

Allow form submissions in <iframe> sandbox:

<iframe src="demo_iframe_sandbox_form.htm" sandbox="allow-forms"></iframe>

Try it yourself

Example 3

Allow script execution in <iframe> sandbox:

<iframe src="demo_iframe_sandbox_origin.htm" sandbox="allow-scripts"></iframe>

Try it yourself

Syntax

<iframe sandbox="value">

Attribute value

Value Description
"" (no value) Apply all the following restrictions.
allow-forms Allow form submissions.
allow-modals Allow modal windows to be opened.
allow-orientation-lock Allow screen rotation to be locked.
allow-pointer-lock Allows the use of Pointer Lock API.
allow-popups Allows pop-up windows.
allow-popups-to-escape-sandbox Allows pop-up windows to open new windows without inheriting sandboxing.
allow-presentation Allows starting a presentation session.
allow-same-origin Allows iframe content to be considered as having the same origin as the containing document.
allow-scripts Allows running scripts.
allow-top-navigation Allows iframe content to navigate its top-level browsing context.
allow-top-navigation-by-user-activation Allows iframe content to navigate its top-level browsing context, but only when initiated by the user.

Browser Support

The numbers in the table indicate the first browser version to fully support this attribute.

Chrome Edge Firefox Safari Opera
Chrome Edge Firefox Safari Opera
4.0 10.0 17.0 5.0 15.0