HTML sandbox Attribute
Example
<iframe src="demo/demo.html">
Your browser does not support iframe element.
</iframe>Meaning
Applies extra restrictions to the content in the <iframe>. The value of the attribute can either be empty to apply all restrictions, or space-separated tokens to lift particular restrictions.
<iframe> attribute constrains the abilities of any iframed content.
It may contain a space-separated list of exceptions on included iframe content.
Currently supported values include allow-same-origin, allow-scripts, and allow-forms.
By default, the included content will be highly restricted, but each allow value will extend the sandbox to allow the included content to talk to its origin domain allow-same-origin, invoke scripting allow-scripts, or post forms allow-forms.
Standard Syntax
<element sandbox="value">Browser Support
Status
Applies to:
The sandbox attribute can be used on the following element:
Attribute Values
| Value | Description |
|---|---|
| no value | Applies all restrictions |
| allow-downloads-without-user-activation | Allows for downloads to occur without a gesture from the user. |
| allow-downloads | Allows for downloads to occur with a gesture from the user. |
| allow-forms | Allows form resource to submission. |
| allow-modals | Allows to open modal windows. |
| allow-orientation-lock | Allows to lock the screen orientation. |
| allow-pointer-lock | Allows to use the Pointer Lock API. |
| allow-popups | Allows popups (such as window.open(), target="_blank", or showModalDialog()). |
| allow-popups-to-escape-sandbox | Allows popups to open new windows without inheriting the sandboxing. |
| allow-presentation | Allows to start a presentation session |
| allow-same-origin | Allows the iframe content to be treated as being from the same origin (potentially preventing access to data storage/cookies and some JavaScript APIs). |
| allow-scripts | Allows resources to run scripts |
| allow-storage-access-by-user-activation | Allows the resource request access to the parent's storage capabilities with the Storage Access API. |
| allow-top-navigation | Allows the iframe content to navigate its top-level browsing context(window). |
| allow-top-navigation-by-user-activation | Allows the iframe content to navigate its top-level browsing context, but only if initiated by user |