The HTML sandbox attribute
Quick answer
The HTML sandbox attribute applies extra restrictions to the framed content, re-enabling capabilities only via tokens. It is used on the <iframe> element.
Overview
The sandbox attribute applies extra restrictions to the framed content, re-enabling capabilities only via tokens. It applies to the <iframe> element.
A bare sandbox blocks scripts, forms, popups and treats the frame as a unique origin. Re-enable only what you trust. Avoid combining allow-scripts with allow-same-origin for untrusted content, as together they can remove the sandbox.
Syntax
<iframe src="widget.html" sandbox="allow-scripts"></iframe>
Values
| Value |
|---|
Empty (maximum restrictions) — or space-separated tokens such as allow-scripts, allow-forms, allow-popups, allow-same-origin. |
Best practices
Frequently asked questions
What does the sandbox attribute do?
Sandboxes an iframe with opt-in permissions.