Allow-forms allow-pointer-lock allow-same-origin allow-top-navigation
A Show Using sandbox The
Certain Syntax
ValuesValue Description empty or no value set Implements all restrictions. allow-forms Allows form to be submitted. allow-modals Allows opening of modals. allow-orientation-lock Allows screen orientation to be locked. allow-pointer-lock Allows pointer lock API. allow-popups Allow popups. allow-popups-to-escape-sandbox Allow popup to open in new tab or window. allow-presentation Allow a presentation to be started. allow-same-origin Allows frame content to be treated as same origin. allow-scripts Enables script to execute. allow-top-navigation Allows frame content to navigate on the frame's page. allow-top-navigation-by-user-activation Allows content to be opened in new tab or window -- if allowed by the user. Over time, we have gotten used to integrate more and more content on our web pages. Sometimes these content come from third parties (social networks widgets, advertising, etc). It implies two consequences: the , and we display to the users some content that we can’t fully control. Some of these external content are integrated via the Sandbox: principleIn terms of security, a best practice when you manipulate elements that you don’t control, is to “compartmentalize” the environment of these elements: only authorize what is strictly necessary, to limit the potential impacts. So, the sandbox attribute has been created to limit the action available from an iframe within your page. Once you specify this attribute on a iframe: the following restrictions apply:
Remove some restrictionsThe sandbox attribute accepts multiple values that will allow you to relax the default policy as needed:
Note that you can’t reauthorize plugins execution. For example, if your iframe needs to open a popup to a third service, and requires authentication to access this service, you’ll have to add these values:
Note that it’s not advisable to add both values allow-scripts and allow-same-origin: these two values will allow the iframe to access and modify your DOM. In this case, a malicious iframe could perform all sorts of operations, and could even remove its own sandbox attribute! What is sandbox allowValues of the sandbox Attribute Re-enables popups in a sandboxed iframe. allow-pointer-lock. Re-enables the Pointer Lock API (mouse movement capture) in sandboxed a iframe. allow-forms. Re-enables form submission in a sandboxed iframe. What allows the iframe content to be treated as being from the same origin?The allow-same-origin keyword allows the content to be treated as being from the same origin instead of forcing it into a unique origin, the allow-top-navigation keyword allows the content to navigate its top-level browsing context, and the allow-forms and allow-scripts keywords re-enable forms and scripts respectively ... Are iFrames still used?Finally, the What is the sandbox attribute?Definition and Usage. The sandbox attribute enables an extra set of restrictions for the content in an iframe. When the sandbox attribute is present, and it will: treat the content as being from a unique origin. block form submission. |