iframe sandbox
What is iframe sandbox?
iframe sandboxHTML attribute that applies extra restrictions to an iframe's content, blocking scripts, forms, navigation, and same-origin access unless explicitly re-enabled.
The sandbox attribute on an <iframe> applies a least-privilege policy to embedded content. By default it disables scripts, plugins, form submission, top-level navigation, popups, pointer-lock, and treats the frame as a unique opaque origin so it cannot share cookies or storage with the parent. Capabilities are re-enabled one by one via tokens such as allow-scripts, allow-same-origin, allow-forms, and allow-popups. Sandboxing is a critical mitigation when embedding third-party widgets, untrusted user content, ads, or rich-text previews. Granting both allow-scripts and allow-same-origin together effectively removes the sandbox.
● Examples
- 01
<iframe src="/preview" sandbox="allow-scripts"></iframe> for safely rendering untrusted HTML.
- 02
Embedding a third-party widget with sandbox="" to deny all capabilities.
● Frequently asked questions
What is iframe sandbox?
HTML attribute that applies extra restrictions to an iframe's content, blocking scripts, forms, navigation, and same-origin access unless explicitly re-enabled. It belongs to the Application Security category of cybersecurity.
What does iframe sandbox mean?
HTML attribute that applies extra restrictions to an iframe's content, blocking scripts, forms, navigation, and same-origin access unless explicitly re-enabled.
How does iframe sandbox work?
The sandbox attribute on an <iframe> applies a least-privilege policy to embedded content. By default it disables scripts, plugins, form submission, top-level navigation, popups, pointer-lock, and treats the frame as a unique opaque origin so it cannot share cookies or storage with the parent. Capabilities are re-enabled one by one via tokens such as allow-scripts, allow-same-origin, allow-forms, and allow-popups. Sandboxing is a critical mitigation when embedding third-party widgets, untrusted user content, ads, or rich-text previews. Granting both allow-scripts and allow-same-origin together effectively removes the sandbox.
How do you defend against iframe sandbox?
Defences for iframe sandbox typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- appsec№ 960
Same-Origin Policy (SOP)
Browser security rule that restricts how a document or script loaded from one origin can interact with a resource from a different origin.
- appsec№ 214
Content Security Policy (CSP)
An HTTP response header that tells the browser which sources of scripts, styles, frames and other content are allowed, limiting the impact of XSS and data-injection attacks.
- attacks№ 180
Clickjacking
A UI-redress attack that tricks users into clicking on something different from what they perceive by overlaying or hiding a target page inside an attacker-controlled page.
- attacks№ 240
Cross-Site Scripting (XSS)
A web vulnerability that allows attackers to inject malicious scripts into pages viewed by other users, executing in the victim's browser under the site's origin.
- appsec№ 1179
Trusted Types
Browser API and CSP directive that prevents DOM-based XSS by requiring dangerous DOM sinks to receive typed, policy-vetted values instead of raw strings.
- appsec№ 496
HTTP Security Headers
Response headers that instruct browsers to enforce defensive behaviour such as HTTPS-only, framing restrictions, content policies and referrer controls.
● See also
- № 693Mobile App Sandbox
- № 129Browser Sandbox