TIL iframe sandbox attribute

POSTED ON: Aug 19, 2021

The <iframe> HTML element represents a nested browsing context, embedding another HTML page into the current one.

It can be abused.

<iframe sandbox> allows you to lock it down. If some form tried to submit something in there: nope, won’t work. What if it tries to trigger a download? Nope. Ask for device access? No way. It can’t even load any JavaScript at all.

What you can do is unlock it by doing:

<iframe sandbox="allow-downloads">

There's actually a huge list of restrictions you can unlock, if you want fine control over the iframe in the MDN

Learned in:
Choice Words about the Upcoming Deprecation of JavaScript Dialogs

Related TILs

Tagged: html

TIL Gmail has a 102KB size-limit for HTML

PLACEHOLDER

Mar 05, 2023

TIL how Error correction works in HTML

You never get an 'Invalid Syntax' error on an HTML page. Browsers fix any invalid content and go on.

Feb 17, 2023

TIL what DOCTYPE means

tl;dr: DOCTYPE declaration in the first line of the HTML file, to instruct the browser to run the code in Standard mode.

Feb 15, 2023