HTML iframe sandbox Attribute

HTML <iframe> sandbox Attribute

❮ HTML <iframe> tag


An <iframe> with extra restrictions:

<iframe src="demo_iframe_sandbox.htm" sandbox></iframe>
Try it Yourself »

More "Try it Yourself" examples below.

Definition and Usage

The sandbox attribute enables an extra set of restrictions for the content in the iframe.

When the sandbox attribute is present, and it will:

  • treat the content as being from a unique origin
  • block form submission
  • block script execution
  • disable APIs
  • prevent links from targeting other browsing contexts
  • prevent content from using plugins (through <embed>, <object>, <applet>, or other)
  • prevent the content to navigate its top-level browsing context
  • block automatically triggered features (such as automatically playing a video or automatically focusing a form control)

The value of the sandbox attribute can either be just sandbox (then all restrictions are applied), or a space-separated list of pre-defined values that will REMOVE the particular restrictions.

Browser Support

The numbers in the table specify the first browser version that fully supports the attribute.

sandbox 4.0 10.0 17.0 5.0 15.0

Differences Between HTML 4.01 and HTML5

The sandbox attribute is new in HTML5.


<iframe sandbox="value">

Attribute Values

Value Description
(no value) Applies all restrictions
allow-forms Re-enables form submission
allow-pointer-lock Re-enables APIs
allow-popups Re-enables popups
allow-same-origin Allows the iframe content to be treated as being from the same origin
allow-scripts Re-enables scripts
allow-top-navigation Allows the iframe content to navigate its top-level browsing context

More Examples


An <iframe> sandbox allowing form submission:

<iframe src="demo_iframe_sandbox_form.htm" sandbox="allow-forms"></iframe>
Try it Yourself »


An <iframe> sandbox allowing scripts and access to server content:

<iframe src="demo_iframe_sandbox_origin.htm" sandbox="allow-same-origin allow-scripts"></iframe>
Try it Yourself »

❮ HTML <iframe> tag