HTML IFrames Sandboxing


Example

The following embeds an untrusted web page with all restrictions enabled

<iframe sandbox src="http://example.com/"></iframe>

To allow the page to run scripts and submit forms, add allow-scripts and allow-forms to the sandbox attribute.

<iframe sandbox="allow-scripts allow-forms" src="http://example.com/"></iframe>

If there is untrusted content (such as user comments) on the same domain as the parent web page, an iframe can be used to disable scripts while still allowing the parent document to interact with it's content using JavaScript.

<iframe sandbox="allow-same-origin allow-top-navigation" src="http://example.com/untrusted/comments/page2">

The parent document can add event listeners and resize the IFrame to fit its contents. This, along with allow-top-navigation, can make the sandboxed iframe appear to be part of parent document.

This sandbox is not a replacement for sanitizing input but can be used as part of a defense in depth strategy.

Also be aware that this sandbox can be subverted by an attacker convincing a user to visit the iframe's source directly. The Content Security Policy HTTP header can be used to mitigate this attack.