HTMLIFrameElement: sandbox property

Baseline Widely available

This feature is well established and works across many devices and browser versions. It’s been available across browsers since ⁨July 2015⁩.

The read-onlysandbox property of theHTMLIFrameElement returns a liveDOMTokenList object indicating extra restrictions on the behavior of the nested content. It reflects the<iframe> element'ssandbox content attribute.

Value

A liveDOMTokenList object.

Although thesandbox property itself is read-only in the sense that you can't replace theDOMTokenList object, you can still assign to thesandbox property directly, which is equivalent to assigning to itsvalue property. You can also modify theDOMTokenList object using theadd(),remove(),replace(), andtoggle() methods.

Examples

html

<iframe   title="example"  src="https://example.com"  sandbox="allow-same-origin allow-scripts"></iframe>

const el = document.getElementById("el");console.log(Array.from(el.sandbox)); // Output: ["allow-same-origin", "allow-scripts"]el.sandbox = "";console.log(Array.from(el.sandbox)); // Output: []

Specifications

Specification
HTML # dom-iframe-sandbox

Browser compatibility

Help improve MDN

Learn how to contribute

This page was last modified on⁨Nov 25, 2025⁩ byMDN contributors.

View this page on GitHub •Report a problem with this content