iframe sandbox
What is iframe sandbox?
iframe sandboxHTML attribute that applies extra restrictions to an iframe's content, blocking scripts, forms, navigation, and same-origin access unless explicitly re-enabled.
The sandbox attribute on an <iframe> applies a least-privilege policy to embedded content. By default it disables scripts, plugins, form submission, top-level navigation, popups, pointer-lock, and treats the frame as a unique opaque origin so it cannot share cookies or storage with the parent. Capabilities are re-enabled one by one via tokens such as allow-scripts, allow-same-origin, allow-forms, and allow-popups. Sandboxing is a critical mitigation when embedding third-party widgets, untrusted user content, ads, or rich-text previews. Granting both allow-scripts and allow-same-origin together effectively removes the sandbox.
● Examples
- 01
<iframe src="/preview" sandbox="allow-scripts"></iframe> for safely rendering untrusted HTML.
- 02
Embedding a third-party widget with sandbox="" to deny all capabilities.
● Frequently asked questions
What is iframe sandbox?
HTML attribute that applies extra restrictions to an iframe's content, blocking scripts, forms, navigation, and same-origin access unless explicitly re-enabled. It belongs to the Application Security category of cybersecurity.
What does iframe sandbox mean?
HTML attribute that applies extra restrictions to an iframe's content, blocking scripts, forms, navigation, and same-origin access unless explicitly re-enabled.
How do you defend against iframe sandbox?
Defences for iframe sandbox typically combine technical controls and operational practices, as detailed in the full definition above.