HTML and CSS Reference
• Restricted local access : The content is treated as being from a different server,
which prevents access to local server content such as cookies and other web
storage options tied to the local server domain.
• No form submission : Form submission from the inline content is disabled.
• No external link targets : Links in the inline content are prevented from target-
ing other browsing contexts, such as the containing document through the use
of target="_parent" , for example.
• No plug-ins : Inline content requiring plug-ins, such as for Adobe Flash content,
As a Boolean attribute, sandbox just needs to be added to the iframe to enable
these restrictions, like so:
<iframe src="external.html" sandbox><!-- Fallback content
If the sandbox attribute is not treated as a Boolean attribute, a number of text
keywords values can be set that will negate almost all of the previous restrictions. Table
5-1 shows the available keywords. More than one keyword can be added to negate more
than one restriction, with each separated by a space. Here's an example:
<iframe src="external.html" sandbox="allow-forms allow-
<!-- Fallback content -->
The previous code would allow form submissions and external link targets in the em-
bedded content but would have the other sandbox restrictions in effect.