State of the html iframe standbox (updated 2016-07-17)
Date: 23 Jan 2016Author: Erik Dubbelboer
Most browsers support the iframe sandbox attribute in some form:
| Browser | Version |
|---|---|
| IE | 10+ (msdn) |
| Chrome | 5+ (blog) |
| Firefox | 17+ (mdn) |
| Opera | 15+ (msdn) |
| Safari | 5+ |
Commonly supported tokens are:
| Token |
|---|
| allow-forms |
| allow-orientation-lock |
| allow-pointer-lock |
| allow-same-origin |
| allow-scripts |
| allow-top-navigation |
Propagation
When an iframe opens a new window through target=_blank or window.open(), some browsers will propagate the sandbox attributes to this new window.
| Browser | Action |
|---|---|
| IE | Always propagates |
| Firefox | Propagates until 49, see below |
| Chrome | Propagates until 46, see below |
| Opera | 30-34 and Next seem to propagate |
| Safari | ? |
Attributes
The following attributes are supported by all browsers that implement the sandbox attribute: allow-scripts, allow-forms, allow-same-origin, allow-top-navigation
Attributes that are not always supported:
allow-popups
Firefox 27 before this version popups were always disallowed.
Other browsers: always supported.
allow-popups-to-escape-sandbox
Chrome 46+ (test)
Before chrome always propagated the sandbox attributes to popups.
Firefox: currently not supported, work has finished in Bugzilla #1190641 and will be released with Firefox 49 in September 2016.
allow-modals
Chrome 46+ (test)
Before 46 Chrome always allowed modals. All other browsers always allow modals.
Firefox: will be added in Firefox 49 which will be released in September 2016.
Other browsers: not supported.
comments powered by Disqus