References

Beginner-friendly references for web development, with live, editable examples.

The HTML allow attribute

Attribute All modern browsers Updated June 22, 2026

Quick answer

The HTML allow attribute sets a Permissions Policy controlling which features the framed content may use. It is used on the <iframe> element.

Overview

The allow attribute sets a Permissions Policy controlling which features the framed content may use. It applies to the <iframe> element.

It controls powerful features (camera, microphone, geolocation, fullscreen, autoplay) inside the frame, replacing older one-off attributes like allowfullscreen for fine-grained control.

Syntax

<iframe src="map.html" allow="geolocation"></iframe>

Values

Value
A Permissions-Policy directive list, e.g. `camera 'none'; fullscreen *; geolocation (self)`.

Best practices

Give every <iframe> a descriptive title.
Sandbox untrusted content with sandbox, and avoid combining allow-scripts with allow-same-origin for untrusted sources.
Grant only the features a frame needs with the allow attribute.
Defer off-screen frames with loading="lazy".

Frequently asked questions

What does the allow attribute do?

Sets a Permissions Policy for an iframe.

How do I make an iframe secure?

Restrict untrusted content with sandbox, grant minimal features with allow, and never pair allow-scripts with allow-same-origin for untrusted sources.

How do I embed inline HTML in an iframe?

Use the srcdoc attribute to supply the HTML directly instead of a src URL.

Which elements use the allow attribute?

It is an element-specific attribute, used on the <iframe>, <object> and <embed> elements.

action allowfullscreen