What does an empty sandbox attribute do?

An empty sandbox (sandbox="") applies the maximum set of restrictions: scripts disabled, forms disabled, the frame forced into a unique opaque origin, popups blocked, top-level navigation blocked, plugins blocked, and more. Each token you add relaxes exactly one restriction.

Why is allow-scripts plus allow-same-origin dangerous?

When both are present, the framed document runs scripts and shares the embedder's origin, so it can reach into the parent's DOM and even script-remove its own sandbox attribute. That combination effectively defeats the sandbox, so only use it for content you fully trust.

Does sandbox replace the need for a Content Security Policy?

No. sandbox restricts the framed document's capabilities, while CSP controls what resources a page may load and where. They are complementary layers. A hardened embed typically uses both a tight sandbox and a restrictive CSP.

What is allow-top-navigation for?

By default a sandboxed frame cannot navigate the top-level browsing context, which stops framed ads or content from redirecting the whole page. allow-top-navigation re-enables that; allow-top-navigation-by-user-activation only permits it in response to a real user gesture, which is safer.

Are sandbox tokens space-separated or comma-separated?

Space-separated, like class names. The attribute looks like sandbox="allow-scripts allow-forms". Commas are not valid and will be treated as part of the token text, silently disabling the affected tokens.

iframe sandbox Attribute Tokens

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

What the iframe sandbox attribute does

The sandbox attribute on an <iframe> runs the embedded document under a set of additional restrictions on top of the same-origin policy. The moment you add the attribute, almost everything is switched off: scripts, forms, popups, top-level navigation, the document’s own origin, plugins, and pointer lock. You then opt back in to specific capabilities by listing allow-* tokens. This “deny by default, allow explicitly” model is why sandbox is a core tool for safely embedding untrusted third-party content.

How it works

Tokens are space-separated inside the attribute value:

<iframe src="widget.html" sandbox="allow-scripts allow-forms"></iframe>

Each token re-enables exactly one feature. With no tokens the frame is maximally locked down and is also forced into a unique opaque origin, so even same-origin content is treated as cross-origin. The single most important rule: combining allow-scripts with allow-same-origin lets the framed page script its own sandbox away, so reserve that pairing for fully trusted content. The toggler below builds the attribute and flags that dangerous combination.

Tips and notes

Prefer allow-top-navigation-by-user-activation over the unconditional allow-top-navigation so framed content can only redirect the page after a real click. allow-popups-to-escape-sandbox lets popups open without inheriting the restrictions — useful for legitimate auth flows, risky for ads. Sandbox pairs naturally with Content-Security-Policy and referrerpolicy; treat them as layers, not substitutes.