Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
Entry № 577

iframe sandbox

Reviewed byCybersecurity entrepreneur & security researcher

What is iframe sandbox?

iframe sandboxHTML attribute that applies extra restrictions to an iframe's content, blocking scripts, forms, navigation, and same-origin access unless explicitly re-enabled.


The sandbox attribute on an <iframe> applies a least-privilege policy to embedded content. By default it disables scripts, plugins, form submission, top-level navigation, popups, pointer-lock, and treats the frame as a unique opaque origin so it cannot share cookies or storage with the parent. Capabilities are re-enabled one by one via tokens such as allow-scripts, allow-same-origin, allow-forms, and allow-popups. Sandboxing is a critical mitigation when embedding third-party widgets, untrusted user content, ads, or rich-text previews. Granting both allow-scripts and allow-same-origin together effectively removes the sandbox.

Examples

  1. 01

    <iframe src="/preview" sandbox="allow-scripts"></iframe> for safely rendering untrusted HTML.

  2. 02

    Embedding a third-party widget with sandbox="" to deny all capabilities.

Frequently asked questions

What is iframe sandbox?

HTML attribute that applies extra restrictions to an iframe's content, blocking scripts, forms, navigation, and same-origin access unless explicitly re-enabled. It belongs to the Application Security category of cybersecurity.

What does iframe sandbox mean?

HTML attribute that applies extra restrictions to an iframe's content, blocking scripts, forms, navigation, and same-origin access unless explicitly re-enabled.

How do you defend against iframe sandbox?

Defences for iframe sandbox typically combine technical controls and operational practices, as detailed in the full definition above.

Related terms

See also