Open In App

HTML | <iframe> sandbox Attribute

Last Updated : 06 May, 2025
Comments
Improve
Suggest changes
Like Article
Like
Report

The HTML <iframe> tag’s sandbox attribute restricts the behavior of the embedded content for added security. It allows or disallows specific capabilities such as form submission and scripting within the iframe.

When the sandbox attribute exists, it will: 

  • treat the content as being from a singular origin
  • It blocks form submission
  • It blocks script execution
  • It disables APIs
  • It also prevents links from targeting other browsing contexts
  • It stops the content from navigating its top-level browsing context
  • block automatically triggered features (such as automatically playing a video or automatically focusing a form control)

The value of the sandbox attribute will either be simply sandboxed (then all restrictions are applied) or a space-separated list of pre-defined values that will take away the actual restrictions.

Syntax:  

<iframe sandbox="value">

Attribute Values :

AttributeDescription
no-valuesApplies all restrictions, effectively disabling most capabilities of the embedded content.
allow-formsRe-enables form submission within the iframe.
allow-pointer-lockRe-enables pointer lock APIs within the iframe.
allow-popupsRe-enables popups within the iframe.
allow-same-originAllows the content of the iframe to be treated as being from the same origin as the parent page.
allow-scriptsRe-enables scripts within the iframe.
allow-top-navigationAllows the content of the iframe to navigate its top-level browsing context.

Example: In this example we displays GeeksforGeeks heading, iframe with sandbox attribute, and source set to GeeksforGeeks IDE. Basic structure without sandbox attribute values.

index.html 
<!DOCTYPE html>
<html>
    <head>
        <title>
            HTML Iframe sandbox Attribute
        </title>
    </head>
    <body>
        <h1>GeeksforGeeks</h1>

        <h2>HTML IFrame sandbox Attribute</h2>
        <br />
        <br />
        <iframe
            id="GFGFrame"
            src="https://geeksforgeeks.org/community"
            width="400"
            height="200"
            sandbox
        >
        </iframe>
    </body>
</html>


Note: The HTML iframe syntax is correct, the https://geeksforgeeks.org website does not allow itself to be embedded in iframes on other domains. This is due to protective headers (X-Frame-Options, CSP) that prevent clickjacking and preserve content security. As a result, the iframe appears broken, even though the code itself is valid. You can check other website link to check the output.


Supported Browsers:The browsers supported by HTML IFrame sandbox Attribute are listed below 


Next Article
HTML <iframe> scrolling Attribute

S
shubham_singh
Improve
Article Tags :

Similar Reads

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox