What the iframe sandbox attribute does
The sandbox attribute on an <iframe> runs the embedded document under a set
of additional restrictions on top of the same-origin policy. The moment you add
the attribute, almost everything is switched off: scripts, forms, popups,
top-level navigation, the document’s own origin, plugins, and pointer lock. You
then opt back in to specific capabilities by listing allow-* tokens. This
“deny by default, allow explicitly” model is why sandbox is a core tool for
safely embedding untrusted third-party content.
Token quick-reference
| Token | What it re-enables | Risk level |
|---|---|---|
allow-scripts | JavaScript execution | Medium — combine with care |
allow-forms | Form submission | Low |
allow-same-origin | Frame keeps its real origin | High — dangerous with allow-scripts |
allow-popups | window.open(), target=_blank links | Medium |
allow-top-navigation | Navigate the top browsing context | High |
allow-top-navigation-by-user-activation | Top navigation only after a user gesture | Lower than unconditional |
allow-modals | alert(), confirm(), prompt() | Low |
allow-pointer-lock | Pointer Lock API | Low |
allow-popups-to-escape-sandbox | Popups open without inheriting sandbox | Medium |
allow-downloads | Downloads via anchor or form | Low |
How it works
Tokens are space-separated inside the attribute value:
<iframe src="widget.html" sandbox="allow-scripts allow-forms"></iframe>
Each token re-enables exactly one feature. With no tokens the frame is maximally
locked down and is also forced into a unique opaque origin, so even
same-origin content is treated as cross-origin. The single most important rule:
combining allow-scripts with allow-same-origin lets the framed page script
its own sandbox away, so reserve that pairing for fully trusted content. The
toggler below builds the attribute and flags that dangerous combination.
Practical examples
Embedding a third-party widget (e.g. a comment box):
<iframe src="https://comments.example/widget"
sandbox="allow-scripts allow-forms allow-popups">
</iframe>
Scripts and forms are needed for the widget UI. Popups may be needed for OAuth flows. allow-same-origin is deliberately omitted.
Sandboxed code preview (untrusted user code):
<iframe srcdoc="..." sandbox="allow-scripts"></iframe>
Scripts run so the preview is interactive, but the frame is forced into an opaque origin so it cannot access cookies or storage.
Read-only content embed (no interaction needed):
<iframe src="/embed/article" sandbox=""></iframe>
An empty sandbox is the maximum lockdown. Use it for decorative or purely informational embeds.
Tips
Prefer allow-top-navigation-by-user-activation over the unconditional
allow-top-navigation so framed content can only redirect the page after a real
click. allow-popups-to-escape-sandbox lets popups open without inheriting the
restrictions — useful for legitimate auth flows, risky for ads. Sandbox pairs
naturally with Content-Security-Policy and referrerpolicy; treat them as
layers, not substitutes.
Tokens are space-separated — do not use commas. A typo in a token name is silently ignored rather than causing an error, so double-check the spelling of each token you add.