An <iframe> embeds another HTML document inside your page (a map, video, payment widget, or untrusted user content). Because the embedded page can run its own scripts, the sandbox attribute is key to embedding it safely.
An <iframe> embeds another HTML document inside your page (a map, video, payment widget, or untrusted user content). Because the embedded page can run its own scripts, the sandbox attribute is key to embedding it safely.
sandbox with no value applies maximum restrictions: no scripts, no forms, no popups, treats the content as a unique origin. You then selectively re-enable capabilities by listing tokens:
<iframe sandbox></iframe> <!-- locked down: scripts disabled, etc. -->
<iframe sandbox="allow-scripts allow-forms allow-popups"></iframe>
Common tokens:
allow-scripts — let it run JavaScript.allow-forms — let it submit forms.allow-same-origin — keep its origin (without this it's a null origin, blocking storage/cookies).allow-popups, allow-modals, allow-top-navigation.Security note: combining allow-scripts and allow-same-origin lets the frame remove its own sandbox if it's same-origin — avoid that combination for untrusted content.
<iframe
referrerpolicy="no-referrer"
allow="camera 'none'; geolocation 'none'"
></iframe>
Iframes embed third-party or user-generated content that you don't control and shouldn't fully trust. sandbox (deny-by-default, allow only what's needed) plus referrerpolicy/allow lets you contain that content — preventing it from running unwanted scripts, navigating your page, or accessing device features.
Add title for accessibility and loading="lazy" for performance.