The HTML <iframe> sandbox attribute adds extra security by restricting the behavior of embedded content. It can allow or block features like form submission, scripting, and navigation inside the iframe.
- Restricts content origin, scripts, forms, APIs, and automatic features like autoplay or autofocus.
- Prevents links and embedded content from navigating or opening other browsing contexts.
- sandbox applies all restrictions, while sandbox="value1 value2" removes specific restrictions using space-separated keywords.
Syntax:
<iframe sandbox="value">
Attribute Values:
- no-values: Applies all restrictions and disables most iframe capabilities
- allow-forms: Re-enables form submission inside the iframe
- allow-pointer-lock: Re-enables pointer lock APIs inside the iframe
- allow-popups: Allows popups inside the iframe
- allow-same-origin: Treats iframe content as being from the same origin as the parent page
- allow-scripts: Re-enables script execution inside the iframe
- allow-top-navigation: Allows the iframe to navigate the top-level browsing context
Example: Displays GeeksforGeeks heading, iframe with sandbox attribute, and source set to GeeksforGeeks IDE. Basic structure without sandbox attribute values.
Note: The iframe code is valid, but https://www.geeksforgeeks.org/ blocks embedding through security headers like X-Frame-Options and Content-Security-Policy (CSP). Therefore, the iframe may not display the website. Use another embeddable URL to test the output.
