The HTML <iframe> sandbox attribute adds extra security by restricting the behavior of embedded content. It can allow or block features like form submission, scripting, and navigation inside the iframe.
- Restricts content origin, scripts, forms, APIs, and automatic features like autoplay or autofocus.
- Prevents links and embedded content from navigating or opening other browsing contexts.
- sandbox applies all restrictions, while sandbox="value1 value2" removes specific restrictions using space-separated keywords.
Syntax:
<iframe sandbox="value">Attribute Values:
- no-values: Applies all restrictions and disables most iframe capabilities
- allow-forms: Re-enables form submission inside the iframe
- allow-pointer-lock: Re-enables pointer lock APIs inside the iframe
- allow-popups: Allows popups inside the iframe
- allow-same-origin: Treats iframe content as being from the same origin as the parent page
- allow-scripts: Re-enables script execution inside the iframe
- allow-top-navigation: Allows the iframe to navigate the top-level browsing context
Example: Displays GeeksforGeeks heading, iframe with sandbox attribute, and source set to GeeksforGeeks IDE. Basic structure without sandbox attribute values.
<!--Driver Code Starts-->
<!DOCTYPE html>
<html>
<head>
<title>
HTML Iframe sandbox Attribute
</title>
</head>
<!--Driver Code Ends-->
<body>
<h1>GeeksforGeeks</h1>
<h2>HTML IFrame sandbox Attribute</h2>
<br />
<br />
<iframe
id="GFGFrame"
src="https://media.geeksforgeeks.org/wp-content/uploads/20210910170539/gfg-221x300.png"
width="400"
height="200"
sandbox>
</iframe>
</body>
<!--Driver Code Starts-->
</html>
<!--Driver Code Ends-->
Note: The iframe code is valid, but https://www.geeksforgeeks.org/ blocks embedding through security headers like X-Frame-Options and Content-Security-Policy (CSP). Therefore, the iframe may not display the website. Use another embeddable URL to test the output.