Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Value of HTML5 iframe sandbox attribute

Tags:

html

attributes

iframe

sandbox

I've been reading up on HTML5's sandbox attribute for <iframe>s. According to the documentation the sandbox attribute allows a developer to selectively restrict what actions can be done in an <iframe>. Is the sandbox attribute purely a security measure? Does the sandbox attribute enable web designers to implement any new functionality and if so can anyone point to any examples?

like image 901
Ben Pearce Avatar asked Mar 29 '14 22:03

Ben Pearce

People also ask

What is the iframe sandbox attribute?

The sandbox attribute enables an extra set of restrictions for the content in the iframe. When the sandbox attribute is present, and it will: treat the content as being from a unique origin. block form submission.

Why would you use the sandbox attribute with an iframe?

Applying the sandbox attribute to iframes you include allows you to grant certain privileges to the content they display, only those privileges which are necessary for the content to function correctly.

What is iframe attribute in HTML?

The iframe in HTML stands for Inline Frame. The ” iframe ” tag defines a rectangular region within the document in which the browser can display a separate document, including scrollbars and borders. An inline frame is used to embed another document within the current HTML document.

Can we use iframe in HTML5?

The <iframe> element is still valid in HTML5. Depending on what exact interaction you need there might be different APIs. For example there's the postMessage method which allows you to achieve cross domain javascript interaction.

1 Answers

Well, it is purely a security feature, but it does allow new functionality as well. Take for example embedding third party (user) content (e.g. HTML files). Traditionally you would need to set up a separate domain from which you would serve that content, now however you can simply serve it from wherever you want to and have it treated as if it's from a separate domain.

On top of that it can prevent this third party content from doing certain things, which you could not have prevented previously like:

  • allow-top-navigation: Preventing it from breaking out
  • allow-pointer-lock: Preventing it from taking the cursor hostage
  • allow-popups: Preventing it from breaking out through popups
  • allow-scripts: Simply blocking all scripts (could also have been done through CSP)

Realistically the combination of the sandbox attribute combined with controlled CSP headers gives an incredible amount of control to run third party code in a safe environment. It's not 100% there yet, but we're getting quite close.

like image 199
David Mulder Avatar answered Nov 15 '22 21:11

David Mulder
Sign in to Comment

Related questions

About ![CDATA[, what is it? [duplicate]
stretching div to fill body
jQuery uncaught exception: syntax error, unrecognized expression [ tabindex="something"]
Can overflow:hidden affect layout?
problem in file upload
How to detect negative user response for geolocation
How do I add an extra html table row upon button click using jQuery?
How can prevent the click on elements which under the transparent overlay div in windows phone?
How to prevent newline at the end of html input field?
Why url encode, or which characters to encode
How to test for Touch-Events now that Chrome fails standard tests?
How do I rotate individual letters and keep them flowing left-to-right?
Is it possible to use iframe with localhost address in source ?
PHP getting document path relative to site root
displaying html5 video in ios without play button overlay
localStorage - clear() or removeItem()?
What is the best way of editing .mht(web archive) files?
MathJax not working if loaded from local js file or if the source code is included
textarea label vertical-align: middle
Can the HTML data attribute hold a reference to a DOM element?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!