← Lessons

quiz vs the machine

Gold1360

Frontend

Iframe Sandbox

How the sandbox attribute strips an embedded frame of privileges and grants them back one at a time.

5 min read · core · beat Gold to climb

What it is

The iframe sandbox attribute drops a frame into a restricted environment. By default it removes scripts, forms, popups, and treats the frame as a unique opaque origin.

How it works

  • Adding sandbox with no value applies the strictest set of restrictions.
  • You re grant capabilities by listing tokens such as allow scripts or allow forms.
  • The frame gets only the powers you explicitly add back.

Why opaque origin matters

A sandboxed frame is treated as a unique origin, so it cannot read cookies or storage of the embedding site even if you allow scripts. This isolates untrusted content like ads or user widgets.

A dangerous combination

Granting both allow scripts and allow same origin to content from your own origin lets the frame remove its own sandbox. Avoid that pairing for untrusted content.

Key idea

Sandbox strips an iframe of privileges and re grants them by token, with a unique origin isolating untrusted embedded content.

Check yourself

Answer to earn rating on the learn ladder.

1. What does an empty sandbox attribute do?

2. Which combination can let a frame escape its sandbox?