Example:

An with extra restrictions:

<iframe src="demo_iframe_sandbox.htm" sandbox=""></iframe>

the sandbox attribute is supported in Internet Explorer 10, Firefox, Chrome, and Safari.

Note: The sandbox attribute is not supported in Internet Explorer 9 and earlier versions, or in Opera.

Definition and Usage

If specified as an empty string (sandbox=""), the sandbox attribute enables a set of extra restrictions for the content in the inline frame.

The value of the sandbox attribute can either be an empty string (all the restrictions is applied), or a space-separated list of pre-defined values that will REMOVE particular restrictions.

Differences Between HTML 4.01 and HTML5

The sandbox attribute is new in HTML5.

Syntax

<iframe sandbox="value">

Attribute Values

1. "" => Applies all restrictions below
2. allow-same-origin => Allows the iframe content to be treated as being from the same origin as the containing document
3. allow-top-navigation => Allows the iframe content to navigate (load) content from the containing document
4. allow-forms => Allows form submission
5. allow-scripts => Allows script execution

javascript: is a kind of weird URI protocol. It works in some contexts, like , but not all - for instance, a window's location can not be set to such a URI. (While you can assign a javascript: URI to window.location as a really roundabout way of running a script, the window's location doesn't stay set to that value.)

To write content into an IFRAME, get a reference to the frame's document and write to it. Doing so will require that you set the allow-same-origin sandbox flag.

<iframe id="myframe" sandbox="allow-scripts allow-same-origin" src="about:blank"></iframe>

<script>
    var frame = document.getElementById("myframe");
    var fdoc = frame.contentDocument;

    fdoc.write("Hello world"); // or whatever
</script>

Live example: http://jsfiddle.net/wUvrF/1/