iframe sandbox Attribute Tokens

All sandbox token values with what capability they re-allow and default block.

Reference for the HTML iframe sandbox attribute tokens including allow-scripts, allow-forms, allow-same-origin, allow-popups and allow-top-navigation, with what each re-enables and the secure default block list. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What does an empty sandbox attribute do?

An empty sandbox (sandbox="") applies the maximum set of restrictions: scripts disabled, forms disabled, the frame forced into a unique opaque origin, popups blocked, top-level navigation blocked, plugins blocked, and more. Each token you add relaxes exactly one restriction.

What the iframe sandbox attribute does

The sandbox attribute on an <iframe> runs the embedded document under a set of additional restrictions on top of the same-origin policy. The moment you add the attribute, almost everything is switched off: scripts, forms, popups, top-level navigation, the document’s own origin, plugins, and pointer lock. You then opt back in to specific capabilities by listing allow-* tokens. This “deny by default, allow explicitly” model is why sandbox is a core tool for safely embedding untrusted third-party content.

Token quick-reference

TokenWhat it re-enablesRisk level
allow-scriptsJavaScript executionMedium — combine with care
allow-formsForm submissionLow
allow-same-originFrame keeps its real originHigh — dangerous with allow-scripts
allow-popupswindow.open(), target=_blank linksMedium
allow-top-navigationNavigate the top browsing contextHigh
allow-top-navigation-by-user-activationTop navigation only after a user gestureLower than unconditional
allow-modalsalert(), confirm(), prompt()Low
allow-pointer-lockPointer Lock APILow
allow-popups-to-escape-sandboxPopups open without inheriting sandboxMedium
allow-downloadsDownloads via anchor or formLow

How it works

Tokens are space-separated inside the attribute value:

<iframe src="widget.html" sandbox="allow-scripts allow-forms"></iframe>

Each token re-enables exactly one feature. With no tokens the frame is maximally locked down and is also forced into a unique opaque origin, so even same-origin content is treated as cross-origin. The single most important rule: combining allow-scripts with allow-same-origin lets the framed page script its own sandbox away, so reserve that pairing for fully trusted content. The toggler below builds the attribute and flags that dangerous combination.

Practical examples

Embedding a third-party widget (e.g. a comment box):

<iframe src="https://comments.example/widget"
  sandbox="allow-scripts allow-forms allow-popups">
</iframe>

Scripts and forms are needed for the widget UI. Popups may be needed for OAuth flows. allow-same-origin is deliberately omitted.

Sandboxed code preview (untrusted user code):

<iframe srcdoc="..." sandbox="allow-scripts"></iframe>

Scripts run so the preview is interactive, but the frame is forced into an opaque origin so it cannot access cookies or storage.

Read-only content embed (no interaction needed):

<iframe src="/embed/article" sandbox=""></iframe>

An empty sandbox is the maximum lockdown. Use it for decorative or purely informational embeds.

Tips

Prefer allow-top-navigation-by-user-activation over the unconditional allow-top-navigation so framed content can only redirect the page after a real click. allow-popups-to-escape-sandbox lets popups open without inheriting the restrictions — useful for legitimate auth flows, risky for ads. Sandbox pairs naturally with Content-Security-Policy and referrerpolicy; treat them as layers, not substitutes.

Tokens are space-separated — do not use commas. A typo in a token name is silently ignored rather than causing an error, so double-check the spelling of each token you add.