👀 Live Preview
Iframe with empty sandbox — scripts inside are blocked:
The button does not run alert() without allow-scripts.

The sandbox attribute on <iframe> creates a restricted environment for embedded content. When present (even empty: sandbox or sandbox=""), the browser applies maximum lockdown — blocking scripts, form submission, popups, and top-level navigation. You then add allow-* tokens to lift specific restrictions only where needed. Use it for ads, user-generated embeds, and third-party widgets. Manage tokens with iframe.sandbox (a DOMTokenList in JavaScript). Pair with referrerpolicy and Content Security Policy for defense in depth.
Max restrict.
Lift rules.
allow-scripts.
allow-forms.
Token list.
same-origin.
sandbox AttributeEmbedding another page in an <iframe> runs foreign HTML and JavaScript in your site’s context. Without protection, embedded content could redirect the parent page, steal cookies, open popups, or submit forms. The sandbox attribute mitigates these risks by defaulting to a locked-down mode.
Think of it as a deny-by-default security model: add only the allow-* permissions the embed truly needs — not a blanket allow-everything approach.
Together, these tokens can let sandboxed scripts access same-origin storage and weaken isolation. Avoid combining them for untrusted third-party content.
Add sandbox to an <iframe> — empty for max restrictions, or with space-separated allow-* tokens:
<!-- Maximum restrictions (recommended starting point) -->
<iframe src="https://widgets.example.com" sandbox></iframe>
<!-- Allow scripts only (still blocks forms, popups, etc.) -->
<iframe src="https://widgets.example.com" sandbox="allow-scripts"></iframe>
<!-- Inline demo with srcdoc -->
<iframe sandbox="allow-scripts" srcdoc="<p>Hello</p>"></iframe><iframe> — the standard use case.sandbox or sandbox="" enables all default restrictions.allow-* keywords that remove specific restrictions.iframe.sandbox is a DOMTokenList — use .add(), .remove(), .toggle().src selection.srcdoc for small trusted inline demos; use src for external pages.Common allow-* sandbox tokens (each lifts one restriction):
allow-scripts — Permits JavaScript execution inside the iframe.allow-same-origin — Treats content as same origin (enables storage access; use cautiously).allow-forms — Allows form submission from the iframe.allow-modals — Allows alert(), confirm(), and prompt().allow-popups — Allows opening new browsing contexts (popups).allow-popups-to-escape-sandbox — Popups run without sandbox restrictions.allow-top-navigation-by-user-activation — Top-level navigation only after user gesture.allow-downloads — Allows file downloads from the iframe.<!-- Widget needs scripts + forms, nothing else -->
<iframe
src="https://partner.example/widget"
sandbox="allow-scripts allow-forms"
title="Partner widget"
></iframe>Without any token, the iframe cannot run scripts or submit forms. Each allow-* value you add grants one capability back to the embedded document.
| Markup | Effect | Use when |
|---|---|---|
sandbox | All restrictions on | Untrusted static embeds |
sandbox="allow-scripts" | JS allowed | Interactive widget, no forms |
allow-forms | Form submit allowed | Login/payment iframe (trusted) |
allow-popups | window.open allowed | OAuth popup flows |
allow-same-origin | Same-origin APIs | Trusted same-site embeds only |
iframe.sandbox.add() | JS token control | Dynamic permission changes |
| Element | Supports sandbox? | Notes |
|---|---|---|
<iframe> | Yes | Primary and intended element |
<embed> | No | Use iframe for sandboxed embeds |
<object> | No | Different security model |
<div> | No | Not a global security attribute |
sandbox vs sandbox vs tokens| Capability | No sandbox | sandbox (empty) | allow-scripts |
|---|---|---|---|
| Run JavaScript | Yes | No | Yes |
| Submit forms | Yes | No | No (needs allow-forms) |
| Open popups | Yes | No | No (needs allow-popups) |
| Navigate parent page | Possible | Blocked | Still blocked |
| Unique origin | Normal origin | Yes (isolated) | Still isolated* |
*Adding allow-same-origin removes unique-origin treatment.
Locked-down iframe, selective allow-* tokens, and dynamic iframe.sandbox updates in JavaScript.
Iframe with empty sandbox — scripts inside are blocked:
The button does not run alert() without allow-scripts.
sandbox (max lockdown)Start with no permissions for untrusted embeds:
<iframe
src="https://untrusted.example/embed"
sandbox
title="Untrusted embed"
width="300"
height="200"
></iframe>Presence of sandbox alone activates the full restriction set. Add tokens only when you need more capability.
allow-scriptsEnable JavaScript while keeping forms and popups blocked:
<iframe
sandbox="allow-scripts"
title="Scripted widget"
srcdoc="<p id='msg'>Loading…</p><script>document.getElementById('msg').textContent='Script ran!';</script>"
width="280"
height="80"
></iframe>allow-scripts lifts the script ban only. Forms still need allow-forms; popups still need allow-popups.
Add sandbox tokens at runtime with iframe.sandbox:
<iframe id="dynamicIframe" sandbox src="about:blank"></iframe>
<button id="enableBtn">Allow scripts</button>
<script>
document.getElementById("enableBtn").addEventListener("click", () => {
document.getElementById("dynamicIframe").sandbox.add("allow-scripts");
});
</script>iframe.sandbox is a DOMTokenList. Use .add(), .remove(), and .contains() to manage tokens programmatically.
<iframe> a descriptive title for screen reader users.alert() inside the iframe is blocked (often desirable).Browser locks iframe down.
Isolated from parent cookies.
Lift only needed caps.
Least privilege for third-party content.
The sandbox attribute is supported in all modern browsers on <iframe> elements.
All major browsers enforce sandbox restrictions on iframe content.
iframe ExcellentBottom line: Use sandbox on all untrusted iframe embeds in production.
sandbox for third-party embedsallow-* tokens you truly needtitle on iframessrcdoc for small, controlled inline demosallow-scripts + allow-same-origin for untrusted sitessandbox on user-generated or ad iframesallow-popups-to-escape-sandbox without good reasonThe sandbox attribute is essential for safely embedding third-party content in <iframe> elements.
Start locked down, add allow-* tokens sparingly, and manage permissions with iframe.sandbox when you need dynamic control.
sandboxBookmark these before your next iframe embed.
Lock first.
ModelLift caps.
TokensElement.
ScopePair wisely.
Caution.add() in JS.
APIsandbox blocks scripts, forms, popups, and more. allow-* tokens lift specific restrictions.iframe.sandbox.add("allow-scripts") or setAttribute("sandbox", "allow-scripts allow-forms").iframe in all modern browsers.Practice the sandbox attribute with locked-down and token-based examples in the Try It editor.
3 people found this page helpful