YouTip
Home
JavaScript
PHP
Python3
HTML
C#
Python
Java
PyTorch
Linux
C
jQuery
CSS
XML
jQuery UI
Bootstrap
C++
Angular
HTML DOM
Redis
Web Building
Home
>
HTML
>
Att Iframe Sandbox
Att Iframe Sandbox
π 2026-06-14 | π HTML
## HTML `
` sandbox Attribute The `sandbox` attribute of the `
` element enables an extra set of restrictions for the content in the iframe. It is a powerful security feature introduced in HTML5 that allows developers to run untrusted or third-party web pages in a highly restricted environment, preventing them from executing potentially malicious actions. --- ## Introduction to the Sandbox Attribute When you embed an external webpage using an `
`, that page can potentially execute malicious scripts, hijack user sessions, or redirect the parent window. By applying the `sandbox` attribute, you place the iframe into a unique, restricted origin sandbox. ### Key Restrictions Applied by Default When the `sandbox` attribute is present (even if it is empty: `sandbox=""`), it enforces the following strict security restrictions on the iframe content: * **Treats the content as being from a unique origin**, preventing it from accessing the parent page's DOM, cookies, local storage, or session storage. * **Blocks script execution** (JavaScript is completely disabled). * **Blocks form submission** (preventing phishing or unauthorized data collection). * **Blocks APIs and features** like popups, automatic media playback, and pointer lock. * **Prevents top-level navigation** (the iframe cannot redirect or navigate the parent window). --- ## Syntax ```html
``` ### Attribute Values You can specify an empty string (`sandbox=""`) to apply all restrictions, or provide a space-separated list of specific flags to selectively lift certain restrictions. | Value | Description | | :--- | :--- | | `""` | **Default (Empty):** Applies all restrictions, securing the iframe completely. | | `allow-forms` | Allows the resource to submit forms. | | `allow-modals` | Allows the resource to open modal windows (e.g., `alert()`, `confirm()`). | | `allow-orientation-lock` | Allows the resource to lock the screen orientation. | | `allow-pointer-lock` | Allows the resource to use the Pointer Lock API (useful for 3D games). | | `allow-popups` | Allows popups (such as `window.open()`, `target="_blank"` links). | | `allow-popups-to-escape-sandbox` | Allows a sandboxed document to open new windows without forcing the sandbox restrictions on them. | | `allow-presentation` | Allows the resource to start a presentation session. | | `allow-same-origin` | Allows the content to be treated as being from its actual origin. If not specified, the content is treated as a unique origin, blocking access to cookies, local storage, and same-origin DOM. | | `allow-scripts` | Allows the resource to run scripts (but not create popups unless `allow-popups` is also set). | | `allow-top-navigation` | Allows the resource to navigate the top-level browsing context (the parent window). | | `allow-top-navigation-by-user-activation` | Allows the resource to navigate the top-level browsing context only when triggered by a user gesture (like a click). | --- ## Code Examples ### 1. Maximum Security (All Restrictions Enabled) Using an empty `sandbox` attribute blocks scripts, forms, same-origin access, and top-level navigation. ```html
``` ### 2. Allowing Form Submissions This configuration restricts scripts and same-origin access but allows the user to submit forms within the iframe. ```html
``` ### 3. Allowing Scripts and Same-Origin Access This configuration allows the iframe to run JavaScript and access its own origin's cookies and local storage. ```html
``` --- ## Important Security Considerations ### The Danger of Combining `allow-scripts` and `allow-same-origin` > β οΈ **Critical Security Warning:** > Never use both `allow-scripts` and `allow-same-origin` together if the iframe content is hosted on the **same domain** as the parent page. > > If you do, the embedded page can programmatically remove its own `sandbox` attribute and reload itself, completely bypassing all sandbox restrictions. ### Browser Support The `sandbox` attribute is widely supported by all modern browsers: * Google Chrome * Mozilla Firefox * Microsoft Edge * Apple Safari * Opera *Note: Internet Explorer 9 and earlier versions do not support the `sandbox` attribute.*
β Att Iframe Srcdoc
Att Iframe Name β
π Categories
β‘ JavaScript
(1589)
π PHP
(872)
π Python3
(810)
π HTML
(691)
βοΈ C#
(650)
π Python
(594)
β Java
(552)
βοΈ PyTorch
(534)
π§ Linux
(472)
βοΈ C
(432)
π¦ jQuery
(406)
π¨ CSS
(377)
π XML
(259)
π¦ jQuery UI
(231)
π― Bootstrap
(220)
βοΈ C++
(215)
π °οΈ Angular
(205)
π HTML DOM
(201)
π΄ Redis
(188)
π Web Building
(142)
π Vue.js
(141)
π R
(131)
πΌ Pandas
(124)
ποΈ SQL
(105)
βοΈ Docker
(86)
βοΈ TypeScript
(73)
βοΈ Highcharts
(70)
π AI Agent
(70)
βοΈ React
(68)
π Node.js
(65)
βοΈ Machine Learning
(60)
π Git
(59)
π΅ Go
(58)
π Markdown
(58)
π’ NumPy
(55)
π§ͺ Flask
(54)
βοΈ Scala
(53)
ποΈ SQLite
(52)
π JSTL
(52)
βοΈ VS Code
(51)
π MongoDB
(49)
π Perl
(48)
π Ruby
(47)
π Matplotlib
(47)
βοΈ Uncategorized
(46)
π Swift
(46)
ποΈ PostgreSQL
(46)
βοΈ Data Structures
(46)
π Playwright
(46)
π iOS
(45)
ποΈ MySQL
(44)
βοΈ LangChain
(43)
π FastAPI
(40)
βοΈ Ionic
(38)
π Design Patterns
(37)
βοΈ Eclipse
(37)
π¨ CSS3
(34)
π Lua
(34)
βοΈ Codex
(34)
πΈ Django
(32)
βοΈ OpenCV
(32)
π Rust
(31)
π JSP
(31)
βοΈ Claude Code
(31)
π Pillow
(30)
βοΈ OpenCode
(28)
π AI Skills
(27)
π Flutter
(26)
π Maven
(26)
π¨ Tailwind CSS
(25)
π§ TensorFlow
(25)
π Servlet
(24)
π Dart
(23)
π Assembly
(23)
βοΈ Memcached
(22)
βοΈ SVG
(22)
βοΈ Electron
(22)
π NLP
(22)
π Regex
(21)
π Android
(20)
π£ Kotlin
(19)
π Julia
(19)
π SOAP
(17)
π Selenium
(17)
π PowerShell
(17)
π Sass
(16)
π HTTP
(16)
π Zig
(15)
π AI
(15)
π AJAX
(14)
π Swagger
(14)
βοΈ Scikit-learn
(13)
βοΈ ECharts
(13)
βοΈ Chart.js
(13)
βοΈ Cursor
(13)
βοΈ SciPy
(12)
π RDF
(12)
π Ollama
(12)
π Next.js
(12)
π Plotly Dash
(12)
π JSON
(11)
π RESTful API
(11)
π WSDL
(9)
βοΈ CMake
(8)
π Firebug
(7)
π Nginx
(6)
βΈοΈ Kubernetes
(6)
π Jupyter
(6)
π LaTeX
(4)
π UniApp
(4)
ποΈ SQL Server
(1)