15 lines
1.8 KiB
Plaintext
15 lines
1.8 KiB
Plaintext
sandbox [HTML5 only]
|
|
|
|
If specified as an empty string, this attribute enables extra restrictions on the content that can appear in the inline frame. The value of the attribute can either be an empty string (all the restrictions are applied), or a space-separated list of tokens that lift particular restrictions. Valid tokens are:
|
|
allow-same-origin: Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin.
|
|
allow-top-navigation: Allows the embedded browsing context to navigate (load) content to the top-level browsing context. If this keyword is not used, this operation is not allowed.
|
|
allow-forms: Allows the embedded browsing context to submit forms. If this keyword is not used, this operation is not allowed.
|
|
allow-popups: Allows popups (like from window.open).
|
|
allow-scripts: Allows the embedded browsing context to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.
|
|
allow-pointer-lock: Allows the embedded browsing context to use the Pointer Lock API.
|
|
|
|
Note:
|
|
|
|
When the embedded document has the same origin as the main page, it is strongly discouraged to use both allow-scripts and allow-same-origin at the same time, as that allows the embedded document to programmatically remove the sandbox attribute. Although it is accepted, this case is no more secure than not using the sandbox attribute.
|
|
Sandboxing in general is only of minimal help if the attacker can arrange for the potentially hostile content to be displayed in the user's browser outside a sandboxed iframe. It is recommended that such content should be served from a separate dedicated domain, to limit the potential damage.
|
|
The sandbox attribute is not supported in Internet Explorer 9 and earlier versions, or in Opera. |