Home Library Learn Downloads Support Community
Sign in | United States - English | |
2 out of 2 rated this helpful - Rate this topic

Sandbox

[This documentation is preliminary and is subject to change.]

Windows Internet Explorer 10 Consumer Preview and Metro style apps using JavaScript support the sandbox attribute. The sandbox attribute enables security restrictions for iframe elements that contain untrusted content. These restrictions enhance security by preventing untrusted content from performing actions that can lead to potentially malicious behavior.

The sandbox attribute is specified in Section 4.8.2 of the World Wide Web Consortium (W3C)’s HTML5 specification, which is currently in the Working Draft stage.

This topic contains the following sections:

Enabling sandbox

To enable these restrictions, specify the sandbox attribute, as shown in the following code example.

Copy 

<iframe sandbox src="frame1.html"></iframe>

When the sandbox attribute is specified for an iframe element, the content in the iframe element is said to be sandboxed.

Behavior restricted by sandbox

When iframe elements are sandboxed, the following actions are restricted:

  • Sandboxed content cannot open pop-up windows or new browser windows. Methods that open pop-up windows (such as createPopup(), showModalDialog(), showModelessDialog(), and window.open()), fail silently.
  • Links cannot be opened in new windows.
  • Sandboxed content is considered to be from a unique domain, which prevents access to APIs that are protected by the same-origin policy such as cookies, local storage, and the Document Object Model (DOM) of other documents.
  • The top window cannot be navigated by sandboxed content.
  • Sandboxed content cannot submit form data.
  • Plugins (object, applet, embed, or frame) do not instantiate.
  • Automatic element behavior is disabled, including meta element refresh, autofocus for input controls, and autoplay for audio and video elements.
  • Selected features proprietary to Windows Internet Explorer are disabled for sandboxed content, including HTML Components (HTCs), binary behaviors, databinding, and window.external.

Customizing sandbox restrictions

Internet Explorer 10 and Metro style apps using JavaScript enable you to customize selected sandbox restrictions. To do so, specify one or more of the following customization flags as the value of the sandbox attribute.

FlagDescription

allow-scripts

Sandboxed content is allowed to run JavaScript.

allow-forms

Sandboxed content can submit forms.

allow-same-origin

Sandboxed content can access APIs protected by the same-origin policy, including local storage, cookies, XMLHttpRequest, and documents hosted on the same domain.

allow-top-navigation

Sandboxed content is allowed to change the location of the top window.

ms-allow-popups

Sandboxed content is allowed to open popup windows.

 

The following example shows a sandboxed iframe element that uses customization flags to customize the restrictions for the content in the element.

Copy 

<iframe sandbox="allow-forms allow-same-origin" src="frame1.html"></iframe>

This example permits form submission and access to local data sources. Be aware that multiple customization flags are separated by spaces.

For a hands-on demonstration of HTML5 Sandbox in action, see Defense in Depth: HTML5 Sandbox on the IE Test Drive.

Related topics

HTML5
Internet Explorer 10 Guide for Developers

 

 

Build date: 3/14/2012

Did you find this helpful?
(1500 characters remaining)
Community Content Add
Annotations FAQ