iframe Sandboxing and Permissions Policy
Restrict embedded content with sandbox and Permissions-Policy.
Why Sandbox iframes?
Untrusted content in an iframe (third-party widgets, user-submitted HTML previews, embedded games) should not have full browser capabilities. The sandbox attribute restricts what the iframe can do, reducing the damage if it turns out to be malicious.
Empty sandbox = Maximum Restriction
<iframe sandbox src="..."> with no value applies every restriction: no scripts, no forms, no popups, no top-level navigation, no plugins, treated as a unique origin. Use this as the starting point and add only what the embedded content needs.
All lessons in this course
- Content Security Policy meta http-equiv
- XSS via innerHTML and How to Prevent It
- iframe Sandboxing and Permissions Policy
- HTTPS and Subresource Integrity