YouTip LogoYouTip

Att Iframe Sandbox

## HTML ` ``` ### Attribute Values You can specify an empty string (`sandbox=""`) to apply all restrictions, or provide a space-separated list of specific flags to selectively lift certain restrictions. | Value | Description | | :--- | :--- | | `""` | **Default (Empty):** Applies all restrictions, securing the iframe completely. | | `allow-forms` | Allows the resource to submit forms. | | `allow-modals` | Allows the resource to open modal windows (e.g., `alert()`, `confirm()`). | | `allow-orientation-lock` | Allows the resource to lock the screen orientation. | | `allow-pointer-lock` | Allows the resource to use the Pointer Lock API (useful for 3D games). | | `allow-popups` | Allows popups (such as `window.open()`, `target="_blank"` links). | | `allow-popups-to-escape-sandbox` | Allows a sandboxed document to open new windows without forcing the sandbox restrictions on them. | | `allow-presentation` | Allows the resource to start a presentation session. | | `allow-same-origin` | Allows the content to be treated as being from its actual origin. If not specified, the content is treated as a unique origin, blocking access to cookies, local storage, and same-origin DOM. | | `allow-scripts` | Allows the resource to run scripts (but not create popups unless `allow-popups` is also set). | | `allow-top-navigation` | Allows the resource to navigate the top-level browsing context (the parent window). | | `allow-top-navigation-by-user-activation` | Allows the resource to navigate the top-level browsing context only when triggered by a user gesture (like a click). | --- ## Code Examples ### 1. Maximum Security (All Restrictions Enabled) Using an empty `sandbox` attribute blocks scripts, forms, same-origin access, and top-level navigation. ```html ``` ### 2. Allowing Form Submissions This configuration restricts scripts and same-origin access but allows the user to submit forms within the iframe. ```html ``` ### 3. Allowing Scripts and Same-Origin Access This configuration allows the iframe to run JavaScript and access its own origin's cookies and local storage. ```html ``` --- ## Important Security Considerations ### The Danger of Combining `allow-scripts` and `allow-same-origin` > ⚠️ **Critical Security Warning:** > Never use both `allow-scripts` and `allow-same-origin` together if the iframe content is hosted on the **same domain** as the parent page. > > If you do, the embedded page can programmatically remove its own `sandbox` attribute and reload itself, completely bypassing all sandbox restrictions. ### Browser Support The `sandbox` attribute is widely supported by all modern browsers: * Google Chrome * Mozilla Firefox * Microsoft Edge * Apple Safari * Opera *Note: Internet Explorer 9 and earlier versions do not support the `sandbox` attribute.*
← Att Iframe SrcdocAtt Iframe Name β†’