What is the iframe sandbox attribute in HTML5?
The sandbox attribute in HTML5 restricts iframe capabilities to enhance security by isolating untrusted content. 1) By default, it blocks JavaScript, form submissions, popups, parent access, plugins, and autoplay. 2) Restrictions can be selectively lifted using tokens like allow-scripts, allow-forms, allow-same-origin, allow-top-navigation, allow-popups, allow-pointer-lock, allow-fullscreen, allow-orientation-lock, and allow-presentation. 3) Combining allow-scripts and allow-same-origin reduces security, so it should be avoided unless the content is trusted. 4) Common use cases include embedding user-generated content, ads, or third-party widgets securely. 5) The attribute is widely supported and essential for safely embedding external content, effectively creating a controlled environment where privileges are explicitly granted, ensuring safer web interactions.
The sandbox attribute in HTML5 is a security feature applied to an <iframe></iframe> element that restricts what content inside the iframe can do. It helps isolate untrusted content—like third-party websites or user-generated content—by limiting its capabilities, reducing the risk of malicious behavior such as script injection or phishing.
By default, when you add the sandbox attribute without any values, it applies a strict set of restrictions. This means the embedded page is treated as if it's from a different origin, and many actions are blocked unless explicitly allowed.
How It Works
You apply the sandbox attribute directly to the <iframe></iframe> tag:
<iframe src="example.html" sandbox></iframe>
With just sandbox (no value), the following restrictions are enforced:
- JavaScript is disabled.
- Forms cannot be submitted.
- Links with target="_top" or target="_blank" are blocked from changing the parent page.
- The iframe content cannot access the parent document or window object (prevents DOM access).
- Plugins (like Flash) are disabled.
- Automatic features like autoplay for media are usually blocked.
Relaxing Restrictions with Tokens
You can selectively lift certain restrictions by adding specific allowance tokens as the value of the sandbox attribute. These are space-separated keywords.
Common tokens include:
allow-scripts– Allows JavaScript execution.allow-forms– Permits form submission.allow-same-origin– Lets the content be treated as being from the same origin (dangerous if misused).allow-top-navigation– Allows the iframe to navigate the top-level page.allow-popups– Enableswindow.open()andtarget="_blank"links.allow-pointer-lock– Permits using the Pointer Lock API.allow-fullscreen– Allows entering fullscreen mode.allow-orientation-lock– Allows locking screen orientation.allow-presentation– Allows starting a presentation session (e.g., via Presentation API).
Example: Allow Scripts and Forms
<iframe src="untrusted.html" sandbox="allow-scripts allow-forms"></iframe>
This allows the iframe to run JavaScript and submit forms, but still blocks popups and access to the parent page.
Security Considerations
Using sandbox without allow-scripts and allow-same-origin provides strong protection. However, be cautious:
- Avoid
allow-scriptsandallow-same-origintogether unless you fully trust the content—this combination can nearly eliminate the sandbox’s protection. - Even with
allow-scripts, the iframe remains isolated from the parent unlessallow-top-navigationor access toparentis possible through other means.
Practical Use Cases
- Embedding user-submitted HTML (e.g., in a code playground).
- Displaying ads or third-party widgets securely.
- Previewing external websites in a controlled environment.
The sandbox attribute is well-supported in modern browsers and is a key tool for improving web security when dealing with embedded content.
Basically, it's a way to run untrusted pages in a "jail" — you decide what privileges to give back.
The above is the detailed content of What is the iframe sandbox attribute in HTML5?. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undresser.AI Undress
AI-powered app for creating realistic nude photos
ArtGPT
AI image generator for creative art from text prompts.
Stock Market GPT
AI powered investment research for smarter decisions
Hot Article
Popular tool
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
20516
7
13630
4
How to detect if a browser supports HTML5 features? (Modernizr)
Mar 04, 2026 am 03:11 AM
The main reason for the failure of Modernizr detection is that the script is not successfully loaded or executed at an improper time. It is necessary to ensure that it is loaded synchronously, avoids CSP interception, and is executed before DOM construction. As an alternative, it is preferable to use CSS@supports and native API to detect empty scripts.
How to use the template tag for dynamic content in HTML5? (Cloning nodes)
Mar 05, 2026 am 02:15 AM
The template tag itself does not render and must be manually cloned and inserted. Template is a lazy container of HTML5. The browser will parse it but completely skip rendering and script execution. If you write Hello directly, nothing will appear on the page - this is not a bug, it is the design. To make it "alive", you must use JavaScript to extract the content, clone it, and then hang it on the DOM. A common mistake is to directly obtain document.querySelector('template').content and then try to appendChild. The result is an error or no response: because the content is a Docu
How to make a phone number clickable in HTML5? (Tel link)
Mar 05, 2026 am 02:29 AM
The correct way to write it is href="tel: 8613812345678". All non-numeric characters need to be cleared (only and numbers are retained). Mainland China numbers must be prefixed with 86. Extension numbers use;ext= format, and target="_blank" is disabled.
How to disable autocomplete on input fields in HTML5? (Form attributes)
Mar 05, 2026 am 02:31 AM
Autocomplete="off" sometimes does not take effect because modern browsers (such as Chrome ≥ 80) actively ignore it to ensure the password manager experience; to be truly effective, it needs to be combined with strategies such as semantic values (such as new-password), avoiding sensitive names, and dynamically generated attributes.
How to create a progress bar for file uploads in HTML5? (Progress tag)
Mar 06, 2026 am 02:22 AM
Why can't the tag directly display the upload progress? It is a read-only visual component. It does not listen to network requests and is not automatically bound to the upload process of XMLHttpRequest or fetch. If you put it in and don't update the value manually, it will always stop at 0%. What really drives it is the event monitoring in the upload logic you write yourself. A common mistake is to only monitor onload (upload completed) but miss upload.onprogress. XMLHttpRequest (not fetch) must be used to obtain real-time upload progress, because fetch does not expose the max attribute of the event in the upload phase and must be set to the file size (file.size
How to create a tooltip using only HTML5? (Title attribute)
Mar 06, 2026 am 12:23 AM
The title attribute is not a tooltip component, but an accessibility prompt mechanism implemented by the browser. The behavior, style, and interaction are uncontrollable and are only suitable for simple scenarios such as pure information supplement.
How to center an image vertically in HTML5? (Layout techniques)
Mar 07, 2026 am 02:05 AM
Flexbox is the most stable for centered images. The key is to set display:flex and align-items:center in the parent container and specify the height; using place-items:center for Grid is more concise; absolute positioning requires top:50% with transform:translateY(-50%); vertical-align is invalid for block-level centering.
How to insert a copyright symbol in HTML5? (Character entities)
Mar 05, 2026 am 02:57 AM
© and © have the same effect. The former is a named entity and is easy to read, while the latter is a decimal digital entity and has more stable compatibility. It is necessary to avoid the problems of CSS hiding, JS unescapement and missing semantics.
