HTML sandbox Attribute

Beginner
⏱️ 5 min read
📚 Updated: Jun 2026
🎯 3 Examples
Privacy & Security

Introduction

The sandbox attribute on <iframe> creates a restricted environment for embedded content. When present (even empty: sandbox or sandbox=""), the browser applies maximum lockdown — blocking scripts, form submission, popups, and top-level navigation. You then add allow-* tokens to lift specific restrictions only where needed. Use it for ads, user-generated embeds, and third-party widgets. Manage tokens with iframe.sandbox (a DOMTokenList in JavaScript). Pair with referrerpolicy and Content Security Policy for defense in depth.

What You’ll Learn

01

iframe lock

Max restrict.

02

allow-*

Lift rules.

03

Scripts

allow-scripts.

04

Forms

allow-forms.

05

.sandbox

Token list.

06

Risks

same-origin.

Purpose of sandbox Attribute

Embedding another page in an <iframe> runs foreign HTML and JavaScript in your site’s context. Without protection, embedded content could redirect the parent page, steal cookies, open popups, or submit forms. The sandbox attribute mitigates these risks by defaulting to a locked-down mode.

Think of it as a deny-by-default security model: add only the allow-* permissions the embed truly needs — not a blanket allow-everything approach.

⚠️
allow-scripts + allow-same-origin

Together, these tokens can let sandboxed scripts access same-origin storage and weaken isolation. Avoid combining them for untrusted third-party content.

📝 Syntax

Add sandbox to an <iframe> — empty for max restrictions, or with space-separated allow-* tokens:

sandbox.html
<!-- Maximum restrictions (recommended starting point) -->
<iframe src="https://widgets.example.com" sandbox></iframe>

<!-- Allow scripts only (still blocks forms, popups, etc.) -->
<iframe src="https://widgets.example.com" sandbox="allow-scripts"></iframe>

<!-- Inline demo with srcdoc -->
<iframe sandbox="allow-scripts" srcdoc="<p>Hello</p>"></iframe>

Syntax Rules

  • Valid on <iframe> — the standard use case.
  • Empty sandbox or sandbox="" enables all default restrictions.
  • Tokens are space-separated allow-* keywords that remove specific restrictions.
  • Invalid or unknown tokens are ignored.
  • JavaScript: iframe.sandbox is a DOMTokenList — use .add(), .remove(), .toggle().
  • Complements (does not replace) CSP, HTTPS, and careful src selection.
  • Use srcdoc for small trusted inline demos; use src for external pages.

💎 Values

Common allow-* sandbox tokens (each lifts one restriction):

  • allow-scripts — Permits JavaScript execution inside the iframe.
  • allow-same-origin — Treats content as same origin (enables storage access; use cautiously).
  • allow-forms — Allows form submission from the iframe.
  • allow-modals — Allows alert(), confirm(), and prompt().
  • allow-popups — Allows opening new browsing contexts (popups).
  • allow-popups-to-escape-sandbox — Popups run without sandbox restrictions.
  • allow-top-navigation-by-user-activation — Top-level navigation only after user gesture.
  • allow-downloads — Allows file downloads from the iframe.
sandbox-tokens.html
<!-- Widget needs scripts + forms, nothing else -->
<iframe
  src="https://partner.example/widget"
  sandbox="allow-scripts allow-forms"
  title="Partner widget"
></iframe>

How it Works

Without any token, the iframe cannot run scripts or submit forms. Each allow-* value you add grants one capability back to the embedded document.

⚡ Quick Reference

MarkupEffectUse when
sandboxAll restrictions onUntrusted static embeds
sandbox="allow-scripts"JS allowedInteractive widget, no forms
allow-formsForm submit allowedLogin/payment iframe (trusted)
allow-popupswindow.open allowedOAuth popup flows
allow-same-originSame-origin APIsTrusted same-site embeds only
iframe.sandbox.add()JS token controlDynamic permission changes

Applicable Elements

ElementSupports sandbox?Notes
<iframe>YesPrimary and intended element
<embed>NoUse iframe for sandboxed embeds
<object>NoDifferent security model
<div>NoNot a global security attribute

No sandbox vs sandbox vs tokens

CapabilityNo sandboxsandbox (empty)allow-scripts
Run JavaScriptYesNoYes
Submit formsYesNoNo (needs allow-forms)
Open popupsYesNoNo (needs allow-popups)
Navigate parent pagePossibleBlockedStill blocked
Unique originNormal originYes (isolated)Still isolated*

*Adding allow-same-origin removes unique-origin treatment.

Examples Gallery

Locked-down iframe, selective allow-* tokens, and dynamic iframe.sandbox updates in JavaScript.

👀 Live Preview

Iframe with empty sandbox — scripts inside are blocked:

The button does not run alert() without allow-scripts.

Example — Empty sandbox (max lockdown)

Start with no permissions for untrusted embeds:

sandbox-empty.html
<iframe
  src="https://untrusted.example/embed"
  sandbox
  title="Untrusted embed"
  width="300"
  height="200"
></iframe>
Try It Yourself

How It Works

Presence of sandbox alone activates the full restriction set. Add tokens only when you need more capability.

Example — allow-scripts

Enable JavaScript while keeping forms and popups blocked:

sandbox-allow-scripts.html
<iframe
  sandbox="allow-scripts"
  title="Scripted widget"
  srcdoc="<p id='msg'>Loading…</p><script>document.getElementById('msg').textContent='Script ran!';</script>"
  width="280"
  height="80"
></iframe>
Try It Yourself

How It Works

allow-scripts lifts the script ban only. Forms still need allow-forms; popups still need allow-popups.

Dynamic Values with JavaScript

Add sandbox tokens at runtime with iframe.sandbox:

dynamic-sandbox.html
<iframe id="dynamicIframe" sandbox src="about:blank"></iframe>
<button id="enableBtn">Allow scripts</button>

<script>
  document.getElementById("enableBtn").addEventListener("click", () => {
    document.getElementById("dynamicIframe").sandbox.add("allow-scripts");
  });
</script>
Try It Yourself

How It Works

iframe.sandbox is a DOMTokenList. Use .add(), .remove(), and .contains() to manage tokens programmatically.

♿ Accessibility

  • Always set title — Give every sandboxed <iframe> a descriptive title for screen reader users.
  • Sandbox does not block focus — Users can still tab into the iframe; ensure embedded UI is accessible.
  • Modals need allow-modals — Without it, alert() inside the iframe is blocked (often desirable).
  • Inform users about embeds — Label third-party content clearly in surrounding page text.
  • Security aids everyone — Preventing malicious redirects protects all users, including assistive tech users.

🧠 How sandbox Works

1

Add sandbox

Browser locks iframe down.

Markup
2

Unique origin

Isolated from parent cookies.

Security
3

Add allow-*

Lift only needed caps.

Tokens
=

Safer embeds

Least privilege for third-party content.

Browser Support

The sandbox attribute is supported in all modern browsers on <iframe> elements.

HTML5 · Fully supported

iframe sandbox everywhere

All major browsers enforce sandbox restrictions on iframe content.

99% Browser support
Google Chrome Fully supported
Full support
Mozilla Firefox Fully supported
Full support
Apple Safari Fully supported
Full support
Microsoft Edge Fully supported
Full support
sandbox on iframe Excellent

Bottom line: Use sandbox on all untrusted iframe embeds in production.

💡 Best Practices

✅ Do

  • Default to empty sandbox for third-party embeds
  • Add only the allow-* tokens you truly need
  • Always set a meaningful title on iframes
  • Combine with CSP and HTTPS for layered security
  • Use srcdoc for small, controlled inline demos

❌ Don’t

  • Combine allow-scripts + allow-same-origin for untrusted sites
  • Omit sandbox on user-generated or ad iframes
  • Grant allow-popups-to-escape-sandbox without good reason
  • Assume sandbox replaces server-side validation
  • Embed sensitive pages without reviewing required tokens

Conclusion

The sandbox attribute is essential for safely embedding third-party content in <iframe> elements.

Start locked down, add allow-* tokens sparingly, and manage permissions with iframe.sandbox when you need dynamic control.

Key Takeaways

Knowledge Unlocked

Five truths every developer should know about sandbox

Bookmark these before your next iframe embed.

5
Core concepts
🔑 02

allow-*

Lift caps.

Tokens
💻 03

iframe only

Element.

Scope
04

same-origin risk

Pair wisely.

Caution
05

DOMTokenList

.add() in JS.

API

❓ Frequently Asked Questions

It applies security restrictions to iframe content. Empty sandbox blocks scripts, forms, popups, and more. allow-* tokens lift specific restrictions.
Maximum restrictions — the strictest mode. No scripts, no forms, no popups, unique origin, and blocked top navigation.
They remove (lift) specific restrictions. Sandbox starts locked; each token grants one capability back.
Only for content you trust. Together they weaken sandbox isolation and can allow scripts to access same-origin storage.
iframe.sandbox.add("allow-scripts") or setAttribute("sandbox", "allow-scripts allow-forms").
Yes on iframe in all modern browsers.

Embed iframes safely

Practice the sandbox attribute with locked-down and token-based examples in the Try It editor.

Try sandbox example →

About the author

Mari Selvan M P
Mari Selvan M P 🔗

Developer, cloud engineer, and technical writer

  • Experience 12 years building web and cloud systems
  • Focus Full Stack Development, AWS, and Developer Education

I write practical tutorials so students and working developers can learn by doing—from databases and APIs to deployment on AWS.

3 people found this page helpful