The topic you requested is included in another documentation set. For convenience, it's displayed below. Choose Switch to see the topic in its original location.

sandbox property

Enables security restrictions for iframe elements that contain potentially untrusted content.

This property is read-only.


ptr = object.sandbox


Property values

Type: DOMString

Customizes the security restrictions that are enabled. To enable all restrictions, do not specify a value for this attribute. When a value is specified for this attribute, it must specify one or more of the following values separated by spaces.


Sandboxed content is allowed to run JavaScript.


Sandboxed content can submit forms.


Sandboxed content can access APIs protected by the same-origin policy, including local storage, cookies, XMLHttpRequest, and documents hosted on the same domain.


Sandboxed content is allowed to change the location of the top window.


Sandboxed content is allowed to open popup windows.

Note  Pre-release versions of a Windows Store app using JavaScript supported this value using a vendor prefix. Applications that use a vendor-prefix for this value should be updated to ensure future compatibility and standards-compliance.



When the sandbox attribute is specified for an iframe element, the content in the iframe element is said to be sandboxed. In addition, the following restrictions are applied to the iframe element:

  • Sandboxed content cannot open pop-up windows or new browser windows. Methods that open pop-up windows (such as createPopup(), showModalDialog(), showModelessDialog(), and , fail silently.
  • Links cannot be opened in new windows.
  • Sandboxed content is considered to be from a unique domain, which prevents access to APIs that are protected by the same-origin policy such as cookies, local storage, and the Document Object Model (DOM) of other documents.
  • The top window cannot be navigated by sandboxed content.
  • Sandboxed content cannot submit form data.
  • Plugins (object, applet, embed, or frame) do not instantiate.
  • Automatic element behavior is disabled, including meta element refresh, autofocus for input controls, and autoplay for audio and video elements.
  • Selected features proprietary to a Windows Store app using JavaScript are disabled for sandboxed content, including HTML Components (HTCs), binary behaviors, databinding, and window.external.

To customize sandbox restrictions for a given iframe element, specify one or more of the possible values as the value for the sandbox attribute. Use spaces to separate multiple values.


The following example shows how to use the sandbox attribute to enable sandbox restrictions.

<iframe sandbox src="frame1.html"></iframe>

The following example shows a sandboxed iframe element that uses customization flags to customize the restrictions for the content in the element.

<iframe sandbox="allow-forms allow-same-origin" src="frame1.html"></iframe>

This example permits form submission and access to local data sources. Be aware that multiple customization flags are separated by spaces.

See also




© 2015 Microsoft