DEV Community

Cover image for HTML tags | iframe
Carlos Espada
Carlos Espada

Posted on

HTML tags | iframe

It is used to represent a nested browsing context, embedding another HTML page into the current one.

Each embedded browsing context has its own session history and document. The browsing context that embeds the others is called the "parent browsing context". The "topmost" browsing context — the one with no parent — is usually the browser window, represented by the Window object.

Because each browsing context is a complete document environment, every <iframe> in a page requires increased memory and other computing resources. While theoretically you can use as many <iframe>s as you like, check for performance problems.

allow

Specifies a feature policy for the <iframe>. The policy defines what features are available to the <iframe> based on the origin of the request (e.g. access to the microphone, camera, battery, web-share API, etc.).

allowfullscreen

Set to true if the <iframe> can activate fullscreen mode by calling the requestFullscreen() method.

This attribute is considered a legacy attribute and redefined as allow="fullscreen".

allowpaymentrequest

Set to true if a cross-origin <iframe> should be allowed to invoke the Payment Request API.

This attribute is considered a legacy attribute and redefined as allow="payment".

height

The height of the frame in CSS pixels. Default is 150.

loading

Indicates how the browser should load the iframe:

  • eager: load the iframe immediately, regardless if it is outside the visible viewport (this is the default value).
  • lazy: defer loading of the iframe until it reaches a calculated distance from the viewport, as defined by the browser.

name

A targetable name for the embedded browsing context. This can be used in the target attribute of the <a>, <form> or <base> elements; the formtarget attribute of the <input> or <button> elements; or the windowName parameter in the window.open() method.

referrerpolicy

Indicates which referrer to send when fetching the frame's resource:

  • no-referrer: the Referer header will not be sent.
  • no-referrer-when-downgrade: the Referer header will not be sent to origins without TLS (HTTPS).
  • origin: the sent referrer will be limited to the origin of the referring page: its scheme, host and port.
  • origin-when-cross-origin: the referrer sent to other origins will be limited to the scheme, the host and the port. Navigations on the same origin will still include the path.
  • same-origin: a referrer will be sent for same origin, but cross-origin requests will contain no referrer information.
  • strict-origin: only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don't send it to a less secure destination (HTTPS→HTTP).
  • strict-origin-when-cross-origin (default): send a full URL when performing a same-origin request, only send the origin when the protocol security level stays the same (HTTPS→HTTPS), and send no header to a less secure destination (HTTPS→HTTP).
  • unsafe-url: the referrer will include the origin and the path (but not the fragment, password or username). This value is unsafe, because it leaks origins and paths from TLS-protected resources to insecure origins.

sandbox

Applies extra restrictions to the content in the frame. The value of the attribute can either be empty to apply all restrictions, or space-separated tokens to lift particular restrictions:

  • allow-downloads-without-user-activation: allows for downloads to occur without a gesture from the user.
  • allow-downloads: allows for downloads to occur with a gesture from the user.
  • allow-forms: allows the resource to submit forms. If this keyword is not used, form submission is blocked.
  • allow-modals: lets the resource open modal windows.
  • allow-orientation-lock: lets the resource lock the screen orientation.
  • allow-pointer-lock: lets the resource use the Pointer Lock API.
  • allow-popups: allows popups (such as window.open(), target="_blank" or showModalDialog()). If this keyword is not used, the popup will silently fail to open.
  • allow-popups-to-escape-sandbox: lets the sandboxed document open new windows without those windows inheriting the sandboxing. For example, this can safely sandbox an advertisement without forcing the same restrictions upon the page the ad links to.
  • allow-presentation: lets the resource start a presentation session.
  • allow-same-origin: if this token is not used, the resource is treated as being from a special origin that always fails the same-origin policy (potentially preventing access to data storage/cookies and some JavaScript APIs).
  • allow-scripts: lets the resource run scripts (but not create popup windows).
  • allow-storage-access-by-user-activation: lets the resource request access to the parent's storage capabilities with the Storage Access API.
  • allow-top-navigation:lets the resource navigate the top-level browsing context (the one named _top).
  • allow-top-navigation-by-user-activation: lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.

When the embedded document has the same origin as the embedding page, it is strongly discouraged to use both allow-scripts and allow-same-origin, as that lets the embedded document remove the sandbox attribute — making it no more secure than not using the sandbox attribute at all.

Sandboxing is useless if the attacker can display content outside a sandboxed iframe — such as if the viewer opens the frame in a new tab. Such content should be also served from a separate origin to limit potential damage.

src

The URL of the page to embed. Use a value of about:blank to embed an empty page that conforms to the same-origin policy. Also note that programmatically removing an <iframe>'s src attribute (e.g. via Element.removeAttribute()) causes about:blank to be loaded in the frame in Firefox (from version 65), Chromium-based browsers and Safari/iOS.

srcdoc

Inline HTML to embed, overriding the src attribute. If a browser does not support the srcdoc attribute, it will fall back to the URL in the src attribute.

width

The width of the frame in CSS pixels. Default is 300.

As a replaced element, the position, alignment and scaling of the embedded document within the <iframe> element's box, can be adjusted with the object-position and object-fit properties.

Accessibility

People navigating with assistive technology such as a screen reader can use the title attribute on an <iframe> to label its content. The title's value should concisely describe the embedded content:

<iframe title="Wikipedia page for Avocados" src="https://en.wikipedia.org/wiki/Avocado"></iframe>
Enter fullscreen mode Exit fullscreen mode

Without this title, they have to navigate into the <iframe> to determine what its embedded content is. This context shift can be confusing and time-consuming, especially for pages with multiple <iframe>s and/or if embeds contain interactive content like video or audio.

  • Type: block
  • Self-closing: No
  • Semantic value: No

Definition | Example | Support

Discussion (0)