iframe, sandbox & Embeds

An `<iframe>` carves out a completely separate browsing context inside the page. The `sandbox` attribute walls it off from the parent; `title` makes it accessible.

HTML6 min readConcept 22 of 42

What it is

<iframe> embeds another document inside the current page in its own isolated browsing context. That context has its own history stack, its own JavaScript scope, and its own cookie jar. The embedded content and the host page run side by side but cannot read each other's data unless they share the same origin and both opt in.

The sandbox attribute restricts what embedded content can do. An empty sandbox="" applies the most restrictive set: no scripts, no form submission, no popups, no navigation of the top page, and no same-origin privileges even if the URL matches the host. Each allow-* token explicitly restores one capability.

Why it matters

Without sandbox, an embedded third-party page can run JavaScript, redirect the top-level window, submit forms, and read any cookies shared by the origin. A sandboxed iframe limits the blast radius of a compromised or malicious embed. Every third-party widget, every payment form in an iframe, every user-uploaded HTML snippet should run behind a sandbox.

Clickjacking is the reverse problem: someone frames your page inside their site and tricks users into clicking buttons they cannot see. The defense is a server header, not HTML: X-Frame-Options: DENY or Content-Security-Policy: frame-ancestors 'none' prevents your page from being embedded at all. sandbox does not help here, because you control your own page, not the attacker's.

How it works

The minimum useful iframe: <iframe src="https://example.com" title="Example site" width="800" height="600" loading="lazy">. The title attribute is required for screen readers to identify the frame. Without it, a screen reader announces only "iframe" with no context. loading="lazy" defers the embed until it is near the viewport, the same as images.

Add sandbox to restrict the embed, then selectively restore capabilities with tokens: sandbox="allow-scripts allow-forms" enables JavaScript and form submission but keeps popups and top-navigation blocked. The dangerous combination to avoid is allow-scripts allow-same-origin on a same-origin embed: same-origin content can access the DOM, find the iframe element, and remove the sandbox attribute entirely, defeating it.

The allow attribute controls browser features via Permissions Policy: allow="fullscreen" lets the embed go fullscreen, allow="autoplay" allows media autoplay. YouTube's embed code uses a long allow list because it needs camera, clipboard, encrypted media, and more. Unlike sandbox which starts closed and opens permissions, allow starts with the browser defaults and you explicitly grant extras.

Try it

See the sandbox boundary light up to signal isolation, and explore which tokens are locked vs open by default.

<iframe
src="https://widget.io"
title="Payment widget"
width="400" height="300"
loading="lazy"
sandbox="allow-scripts
allow-forms"
allow="payment">
</iframe>
widget.io
sandboxed browsing context
isolatedseparate JS scope, cookies, history

sandbox tokens

allow-scriptsJS enabled
allow-formssubmit forms
allow-popupsno popups
allow-same-origincross-origin only
allow-top-navigationcannot redirect parent
title

Screen readers announce title="Payment widget" before the user enters the frame. Without it, they hear only "iframe" with no context.

Teal = sandbox; lavender = title. Both are required on every third-party iframe.

Check yourself

Pick an answer to lock it in, then read why. Getting one wrong is part of how it sticks.

  1. 1What does sandbox="" (empty) do to an iframe?
  2. 2Why is sandbox="allow-scripts allow-same-origin" dangerous for a same-origin embed?
  3. 3What does a screen reader announce for an <iframe> with no title attribute?

Remember this

  • <iframe title="..."> is required: screen readers announce the title before the user enters the frame.
  • sandbox="" applies all restrictions; each allow-* token restores one specific capability.
  • Never combine allow-scripts and allow-same-origin on a same-origin embed: the content can remove its own sandbox.
  • X-Frame-Options or Content-Security-Policy: frame-ancestors prevents your page from being framed, not sandbox.

Done with this concept?

Mark it complete to track your progress. No login needed.