files/en-us/web/api/htmliframeelement/sandbox/index.md
{{APIRef("HTML DOM")}}
The read-only sandbox property of the {{domxref("HTMLIFrameElement")}} returns a live {{domxref("DOMTokenList")}} object indicating extra restrictions on the behavior of the nested content. It reflects the {{HTMLElement("iframe")}} element's sandbox content attribute.
A live {{domxref("DOMTokenList")}} object.
Although the sandbox property itself is read-only in the sense that you can't replace the DOMTokenList object, you can still assign to the sandbox property directly, which is equivalent to assigning to its {{domxref("DOMTokenList/value", "value")}} property. You can also modify the DOMTokenList object using the {{domxref("DOMTokenList/add", "add()")}}, {{domxref("DOMTokenList/remove", "remove()")}}, {{domxref("DOMTokenList/replace", "replace()")}}, and {{domxref("DOMTokenList/toggle", "toggle()")}} methods.
<iframe
id="el"
title="example"
src="https://example.com"
sandbox="allow-same-origin allow-scripts"></iframe>
const el = document.getElementById("el");
console.log(Array.from(el.sandbox)); // Output: ["allow-same-origin", "allow-scripts"]
el.sandbox = "";
console.log(Array.from(el.sandbox)); // Output: []
{{Specifications}}
{{Compat}}