HTMLIFrameElement: sandbox property

Baseline Widely available

This feature is well established and works across many devices and browser versions. It’s been available across browsers since ⁨July 2015⁩.

The read-only sandbox property of the HTMLIFrameElement returns a live DOMTokenList object indicating extra restrictions on the behavior of the nested content. It reflects the <iframe> element's sandbox content attribute.

Value

A live DOMTokenList object.

Although the sandbox property itself is read-only in the sense that you can't replace the DOMTokenList object, you can still assign to the sandbox property directly, which is equivalent to assigning to its value property. You can also modify the DOMTokenList object using the add(), remove(), replace(), and toggle() methods.

Examples

html

<iframe
 id="el"
 title="example"
 src="https://example.com"
 sandbox="allow-same-origin allow-scripts"></iframe>

const el = document.getElementById("el");
console.log(Array.from(el.sandbox)); // Output: ["allow-same-origin", "allow-scripts"]
el.sandbox = "";
console.log(Array.from(el.sandbox)); // Output: []

Specifications

Specification
HTML # dom-iframe-sandbox

Browser compatibility

Help improve MDN

Learn how to contribute

This page was last modified on ⁨Nov 25, 2025⁩ by MDN contributors.

View this page on GitHub • Report a problem with this content