ToolBelt

iframe sandbox Flag Builder

Tick the sandbox flags you want and copy the <iframe> tag.

Open tool

Overview

The iframe sandbox Flag Builder lets you tick each sandbox token (allow-scripts, allow-forms, allow-same-origin, allow-popups, allow-modals, etc.) and emits a complete <iframe sandbox="..."> tag with the selected flags. The default — empty sandbox — strips every capability; each token re-enables one.

Useful when embedding third-party widgets, learning how to sandbox an iframe in HTML or how to allow forms but not scripts in iframe. Security engineers reach for it building widget hosts, AMP-like embed shells, or any environment where untrusted content must run with minimum permissions.

How it works

The HTML Living Standard defines sandbox as a set of opt-in tokens that selectively re-enable capabilities the bare sandbox attribute removes. Capabilities turned off by default include: script execution, form submission, top-level navigation, popups, modal dialogs, pointer-lock, and same-origin treatment. Without allow-same-origin, the iframe is treated as a unique opaque origin even when it loads from your own domain, preventing localStorage and cookie access.

The builder warns about the dangerous combination allow-scripts allow-same-origin for content you don't control — it lets the iframe break out of the sandbox by modifying its own DOM and reloading without the attribute.

Examples

  • A safe untrusted embed → <iframe sandbox></iframe> (no capabilities).
  • A read-only docs preview → <iframe sandbox="allow-scripts"></iframe>.
  • A form widget that needs to POST → <iframe sandbox="allow-scripts allow-forms"></iframe>.
  • A trusted-but-isolated widget → <iframe sandbox="allow-scripts allow-same-origin allow-popups"></iframe> (with attention to source).

FAQ

What does an empty sandbox attribute do?

It applies the full set of restrictions — no scripts, no forms, no navigation, no same-origin. The iframe becomes a quarantine.

Why is allow-scripts + allow-same-origin risky?

The iframe's script can read its own DOM, find the sandbox attribute, and request a navigation that removes it — effectively escaping the sandbox. Only safe for content you fully control.

Does sandbox replace CSP frame-src?

No. sandbox restricts what the iframe can do; frame-src in CSP restricts where iframes can come from. Use both.

Can sandboxed iframes use postMessage?

Yes — postMessage is allowed by default, which is how sandboxed widgets typically communicate with their parent.

Try iframe sandbox Flag Builder

An unhandled error has occurred. Reload ×