New in HTML5.

<iframe sandbox="">

Disclosure: Your support helps keep the site running! We earn a referral fee for some of the services we recommend on this page. Learn more
Attribute of
Using The HTML Tag To Create Inline Frames: Here's How
What does <iframe sandbox=""> do?
Places a set of security and usability restrictions on the iframe.

Code Example

<iframe width="100%"  height="600"  src="/code-samples/autoplay-flamingo/" sandbox></iframe>
<p>In the <a href="/code-samples/autoplay-flamingo/">source document</a>, the video starts playback automatically. But in sandbox mode, the video does not autoplay.</p>

In the source document, the video starts playback automatically. But in sandbox mode, the video does not autoplay.

Restricting and re-enabling

Adding the sandbox attribute to an <iframe> element places the element into sandbox mode, which adds the following restrictions to how the browser treats the document inside the iframe:

  • iframe content is treated as being from a different origin than the primary document
  • blocks form submission
  • block JavaScript execution
  • disable Pointer Lock API (mouse movement capture)
  • prevents anchor links from targeting other browsing contexts (opening in a new tab or window)
  • prevents use of plugins (<embed>, <object>, <applet>, or other)
  • prevent the content from navigating its top-level browsing context
  • blocks auto playback of media

These sandbox precautions can help maintain browser security, which is especially useful if the <iframe> is embedding a third-party document over which you have no control.

Each of these restrictions can be lifted individually using attribute values.

Values of the sandbox Attribute

Value NameNotes
allow-top-navigationAllows a sandboxed iframe to navigate its top-level browsing context
allow-scriptsRe-enables JavaScript in a sandboxed iframe.
allow-same-originAllows the content of a sandboxed iframe to be treated as having the same origin as the primary document.
allow-popupsRe-enables popups in a sandboxed iframe.
allow-pointer-lockRe-enables the Pointer Lock API (mouse movement capture) in sandboxed a iframe.
allow-formsRe-enables form submission in a sandboxed iframe.

All Attributes of iframe Element

Attribute nameValuesNotes
sandboxallow-top-navigation
allow-scripts
allow-same-origin
allow-popups
allow-pointer-lock
allow-forms
Places a set of security and usability restrictions on the iframe.
scrollingWas used to toggle scrolling on iframes. Deprecated in HTML5. Use CSS instead.
nameSpecifies the name of an iframe.
alignWas used to set the alignment of an inline frame relative to surrounding elements. Deprecated. Use CSS instead.
frameborderWas used to toggle the display of a border around an iframe. Deprecated in HTML5. Use CSS instead.
longdescWas used to specify URL containing a long description of an iframe. Deprecated in HTML5. Use CSS instead.
marginwidthWas used to control the width of margins around an iframe. Deprecated in HTML5. Use CSS instead.
srcSpecifies the URL of a document to display in an iframe.
vspaceWas used to control the vertical spacing around an iframe. Deprecated in HTML5. Use CSS instead.
widthSpecifies the width of an iframe.
Adam is a technical writer who specializes in developer documentation and tutorials.

Browser Support for sandbox

iefirefoxchromeedgesafariopera
10434513934