The HTML `iframe` tag
Discover the basics of working with the HTML `iframe` tag
The iframe
tag allows us to embed content coming from other origins (other sites) into our web page.
Technically, an iframe creates a new nested browsing context. This means that anything in the iframe does not interfere with the parent page, and vice versa. JavaScript and CSS do not “leak” to/from iframes.
Many sites use iframes to perform various things. You might be familiar with Codepen, Glitch or other sites that allow you to code in one part of the page, and you see the result in a box. That’s an iframe.
You create one this way:
<iframe src="page.html"></iframe>
You can load an absolute URL, too:
<iframe src="https://site.com/page.html"></iframe>
You can set a set of width and height parameters (or set them using CSS) otherwise the iframe will use the defaults, a 300x150 pixels box:
<iframe src="page.html" width="800" height="400"></iframe>
Srcdoc
The srcdoc
attribute lets you specify some inline HTML to show. It’s an alternative to src
, but recent and not supported in Edge 18 and lower, and in IE:
<iframe srcdoc="<p>My dog is a good dog</p>"></iframe>
Sandbox
The sandbox
attribute allows us to limit the operations allowed in the iframes.
If we omit it, everything is allowed:
<iframe src="page.html"></iframe>
If we set it to "", nothing is allowed:
<iframe src="page.html" sandbox=""></iframe>
We can select what to allow by adding options in the sandbox
attribute. You can allow multiple ones by adding a space in between. Here’s an incomplete list of the options you can use:
allow-forms
: allow to submit formsallow-modals
allow to open modals windows, including callingalert()
in JavaScriptallow-orientation-lock
allow to lock the screen orientationallow-popups
allow popups, usingwindow.open()
andtarget="_blank"
linksallow-same-origin
treat the resource being loaded as same originallow-scripts
lets the loaded iframe run scripts (but not create popups).allow-top-navigation
gives access to the iframe to the top level browsing context
Allow
Currently experimental and only supported by Chromium-based browsers, this is the future of resource sharing between the parent window and the iframe.
It’s similar to the sandbox
attribute, but lets us allow specific features, including:
accelerometer
gives access to the Sensors API Accelerometer interfaceambient-light-sensor
gives access to the Sensors API AmbientLightSensor interfaceautoplay
allows to autoplay video and audio filescamera
allows to access the camera from the getUserMedia APIdisplay-capture
allows to access the screen content using the getDisplayMedia APIfullscreen
allows to access fullscreen modegeolocation
allows to access the Geolocation APIgyroscope
gives access to the Sensors API Gyroscope interfacemagnetometer
gives access to the Sensors API Magnetometer interfacemicrophone
gives access to the device microphone using the getUserMedia APImidi
allows access to the Web MIDI APIpayment
gives access to the Payment Request APIspeaker
allows access to playing audio through the device speakersusb
gives access to the WebUSB API.vibrate
gives access to the Vibration APIvr
gives access to the WebVR API
Referrer
When loading an iframe, the browser sends it important information about who is loading it in the Referer
header (notice the single r
, a typo we must live with).
The misspelling of referrer originated in the original proposal by computer scientist Phillip Hallam-Baker to incorporate the field into the HTTP specification. The misspelling was set in stone by the time of its incorporation into the Request for Comments standards document RFC 1945
The referrerpolicy
attribute lets us set the referrer to send to the iframe when loading it. The referrer is an HTTP header that lets the page know who is loading it. These are the allowed values:
no-referrer-when-downgrade
it’s the default, and sends the referrer when the current page is loaded over HTTPS and the iframe loads on the HTTP protocolno-referrer
does not send the referrer headerorigin
the referrer is sent, and only contains the origin (port, protocol, domain), not the origin + path which is the defaultorigin-when-cross-origin
when loading from the same origin (port, protocol, domain) in the iframe, the referrer is sent in its complete form (origin + path). Otherwise only the origin is sentsame-origin
the referrer is sent only when loading from the same origin (port, protocol, domain) in the iframestrict-origin
sends the origin as the referrer if the current page is loaded over HTTPS and the iframe also loads on the HTTPS protocol. Sends nothing if the iframe is loaded over HTTPstrict-origin-when-cross-origin
sends the origin + path as the referrer when working on the same origin. Sends the origin as the referrer if the current page is loaded over HTTPS and the iframe also loads on the HTTPS protocol. Sends nothing if the iframe is loaded over HTTPunsafe-url
: sends the origin + path as the referrer even when loading resources from HTTP and the current page is loaded over HTTPS
→ I wrote 17 books to help you become a better developer:
- C Handbook
- Command Line Handbook
- CSS Handbook
- Express Handbook
- Git Cheat Sheet
- Go Handbook
- HTML Handbook
- JS Handbook
- Laravel Handbook
- Next.js Handbook
- Node.js Handbook
- PHP Handbook
- Python Handbook
- React Handbook
- SQL Handbook
- Svelte Handbook
- Swift Handbook
Also, JOIN MY CODING BOOTCAMP, an amazing cohort course that will be a huge step up in your coding career - covering React, Next.js - next edition February 2025