all
alt
ch
dir
id
min
rel
top
url
URL
urn
Expand Minimize

security attribute

Sets the value indicating whether the source file of a frame or iframe has specific security restrictions applied.

This attribute is not supported for Windows Runtime apps using JavaScript.

Syntax

HTML
<element security="" ... >

 

JScript

 

Property values

sSecure

A String that specifies the following value.

ValueMeaning
restricted

Applies security settings of the Restricted Sites zone to frame source files or iframe source files.

Standards information

There are no standards that apply here.

Remarks

The sSecure value must specify restricted. Because security is an attribute only, it must be defined in the frame element declaration.

If a frame is restricted by the security attribute, all nested frames share the same restrictions.

The security attribute applies the user security setting Restricted Sites to the source file of a frame or iframe. (Zone settings are found on the Security tab of the Internet Options dialog box.) By default, scripting is not enabled in the Restricted Sites zone. By changing the security settings of the zone, various negative results can occur, including, but are not limited to, allowing script to run.

Independent of user security settings, the security attribute affects the behavior of hyperlinks and forms inside a restricted frame or iframe in the following two ways.

  • Hyperlinks and forms open in a new window. This happens even when the target attribute specifies "_self" for a frame nested in the restricted frame. In the following example, when you click a hyperlink in the iframe, a new window opens with the requested document.
    
    <iframe security="restricted" src="http://www.microsoft.com"></iframe>
    
    
  • The security attribute restricts use of the javascript, vbscript, and about protocols in the URL. For example, in a restricted frame or iframe, the source file cannot execute the following code.
    
    <a href="javascript:alert('Disallowed in restricted FRAME or IFRAME!');">JavaScript Link</a>
    
    

Security Warning:   If the restricted document contains script, the script can be executed when the page is opened in a new window, depending on the security settings of the zone. This is not a problem if the restricted iframe contains inline content, for example, there is no src attribute; or if the content comes from a another more restricted domain, for example, "contoso.com" hosts a page from "untrusted.com". However, when content from the same domain is hosted in a restricted frame, care should be taken to limit the action of hyperlinks and forms. Refer to the following example.

You can access the properties and contents of a restricted frame or iframe through the Document Object Model (DOM) of the container document.

Requirements

Minimum supported client

Windows XP

Minimum supported server

Windows 2000 Server

See also

frame
iframe

 

 

Show:
© 2014 Microsoft