References

Beginner-friendly references for web development, with live, editable examples.

The HTML sandbox attribute

Attribute All modern browsers Updated
Quick answer

The HTML sandbox attribute applies extra restrictions to the framed content, re-enabling capabilities only via tokens. It is used on the <iframe> element.

Overview

The sandbox attribute applies extra restrictions to the framed content, re-enabling capabilities only via tokens. It applies to the <iframe> element.

A bare sandbox blocks scripts, forms, popups and treats the frame as a unique origin. Re-enable only what you trust. Avoid combining allow-scripts with allow-same-origin for untrusted content, as together they can remove the sandbox.

Syntax

<iframe src="widget.html" sandbox="allow-scripts"></iframe>

Values

Value
Empty (maximum restrictions) — or space-separated tokens such as allow-scripts, allow-forms, allow-popups, allow-same-origin.

Best practices

  • Give every <iframe> a descriptive title.
  • Sandbox untrusted content with sandbox, and avoid combining allow-scripts with allow-same-origin for untrusted sources.
  • Grant only the features a frame needs with the allow attribute.
  • Defer off-screen frames with loading="lazy".

Frequently asked questions

What does the sandbox attribute do?
Sandboxes an iframe with opt-in permissions.
How do I make an iframe secure?
Restrict untrusted content with sandbox, grant minimal features with allow, and never pair allow-scripts with allow-same-origin for untrusted sources.
How do I embed inline HTML in an iframe?
Use the srcdoc attribute to supply the HTML directly instead of a src URL.
Which elements use the sandbox attribute?
It is an element-specific attribute, used on the <iframe>, <object> and <embed> elements.