Microsoft Edge provides support for the
sandbox attribute. The
sandbox attribute enables security restrictions for
iframe elements that contain untrusted content. These restrictions enhance security by preventing untrusted content from performing actions that can lead to potentially malicious behavior.
sandbox attribute is specified in the HTML5 specification.
To enable these restrictions, specify the
sandbox attribute, as shown in the following code example:
<iframe sandbox src="frame1.html"></iframe>
sandbox attribute is specified for an
iframe element, the content in the
iframe element is said to be sandboxed.
Behavior restricted by sandbox
iframe elements are sandboxed, the following actions are restricted:
- Sandboxed content cannot open pop-up windows or new browser windows. Methods that open pop-up windows (such as
open()), fail silently.
- Links cannot be opened in new windows.
- Sandboxed content is considered to be from a unique domain, which prevents access to APIs that are protected by the same-origin policy such as cookies, local storage, and the Document Object Model (DOM) of other documents.
- The top window cannot be navigated by sandboxed content.
- Sandboxed content cannot submit form data.
- Plugins (
frame) do not instantiate.
- Automatic element behavior is disabled, including
- Selected features proprietary to Windows Internet Explorer are disabled for sandboxed content, including HTML Components (HTCs), binary behaviors, databinding, and
Customizing sandbox restrictions
With Microsoft Edge, you are able to customize selected sandbox restrictions. To do so, specify one or more of the following customization flags as the value of the
|allow-forms||Sandboxed content can submit forms.|
|allow-same-origin||Sandboxed content can access APIs protected by the same-origin policy, including local storage, cookies,
|allow-top-navigation||Sandboxed content is allowed to change the location of the top window.|
|allow-popups||Sandboxed content is allowed to open popup windows.|
The following example shows a sandboxed
iframe element that uses customization flags to customize the restrictions for the content in the element.
<iframe sandbox="allow-forms allow-same-origin" src="frame1.html"></iframe>
This example permits form submission and access to local data sources. Be aware that multiple customization flags are separated by spaces.