files/en-us/web/html/reference/elements/iframe/index.md
The <iframe> HTML element represents a nested {{Glossary("browsing context")}}, embedding another HTML page into the current one.
{{InteractiveExample("HTML Demo: <iframe>", "tabbed-standard")}}
<iframe
id="inlineFrameExample"
title="Inline Frame Example"
width="300"
height="200"
src="https://www.openstreetmap.org/export/embed.html?bbox=-0.004017949104309083%2C51.47612752641776%2C0.00030577182769775396%2C51.478569861898606&layer=mapnik">
</iframe>
iframe {
border: 1px solid black;
width: 100%; /* takes precedence over the width set with the HTML width attribute */
}
Each embedded browsing context has its own document and allows URL navigations. The navigations of each embedded browsing context are linearized into the session history of the topmost browsing context. The browsing context that embeds the others is called the parent browsing context. The topmost browsing context — the one with no parent — is usually the browser window, represented by the {{domxref("Window")}} object.
[!WARNING] Because each browsing context is a complete document environment, every
<iframe>in a page requires increased memory and other computing resources. While theoretically you can use as many<iframe>s as you like, check for performance problems.
This element includes the global attributes.
allow
: Specifies a Permissions Policy for the <iframe>. The policy defines what features are available to the <iframe> (for example, access to the microphone, camera, battery, web-share, etc.) based on the origin of the request.
See iframes in the Permissions-Policy topic for examples.
[!NOTE] A Permissions Policy specified by the
allowattribute implements a further restriction on top of the policy specified in the {{httpheader("Permissions-Policy")}} header. It doesn't replace it.
allowfullscreen
: Set to true if the <iframe> can activate fullscreen mode by calling the {{domxref("Element.requestFullscreen", "requestFullscreen()")}} method.
[!NOTE] This attribute is considered a legacy attribute and redefined as
allow="fullscreen *".
allowpaymentrequest {{deprecated_inline}} {{non-standard_inline}}
: Set to true if a cross-origin <iframe> should be allowed to invoke the Payment Request API.
[!NOTE] This attribute is considered a legacy attribute and redefined as
allow="payment *".
browsingtopics {{non-standard_inline}} {{deprecated_inline}}
<iframe>'s source. See Using the Topics API for more details.credentialless {{Experimental_Inline}}
true to make the <iframe> credentialless, meaning that its content will be loaded in a new, ephemeral context. It doesn't have access to the network, cookies, and storage data associated with its origin. It uses a new context local to the top-level document lifetime. In return, the {{httpheader("Cross-Origin-Embedder-Policy")}} (COEP) embedding rules can be lifted, so documents with COEP set can embed third-party documents that do not. See IFrame credentialless for more details.csp {{experimental_inline}}
height
150.loading
eager
lazy
: Defer loading of the iframe until it reaches a calculated distance from the {{glossary("visual viewport")}}, as defined by the browser. The intent is to avoid using the network and storage bandwidth required to fetch the frame until the browser is reasonably certain that it will be needed. This improves the performance and cost in most typical use cases, in particular by reducing initial page load times.
[!NOTE] Loading is only deferred when JavaScript is enabled. This is an anti-tracking measure.
name
target attribute of the {{HTMLElement("a")}}, {{HTMLElement("form")}}, or {{HTMLElement("base")}} elements; the formtarget attribute of the {{HTMLElement("input")}} or {{HTMLElement("button")}} elements; or the windowName parameter in the {{domxref("Window.open()","window.open()")}} method. In addition, the name becomes a property of the {{domxref("Window")}} and {{domxref("Document")}} objects, containing a reference to the embedded window or the element itself.privateToken {{experimental_inline}}
RequestInit dictionary's privateToken property. IFrames containing this attribute can initiate operations such as issuing or redeeming tokens when their embedded content is loaded.referrerpolicy
no-referrer
no-referrer-when-downgrade
origin
origin-when-cross-origin
same-origin
strict-origin
strict-origin-when-cross-origin (default)
unsafe-url
sandbox
: Controls the restrictions applied to the content embedded in the <iframe>. The value of the attribute can either be empty to apply all restrictions, or space-separated tokens to lift particular restrictions:
allow-downloads
allow-forms
allow-modals
allow-orientation-lock
allow-pointer-lock
allow-popups
target="_blank"). If this keyword is not used, such functionality will silently fail.allow-popups-to-escape-sandbox
<iframe>.allow-presentation
allow-same-origin
[!NOTE] When
allow-same-originis present, a same-origin parent document can still access and interact with the iframe's DOM even ifallow-scriptsis not set. Theallow-scriptstoken only controls script execution within the embedded browsing context and does not affect DOM access from the parent.
allow-scripts
allow-storage-access-by-user-activation {{experimental_inline}}
<iframe> to use the {{domxref("Storage Access API", "Storage Access API", "", "nocode")}} to request access to unpartitioned cookies.allow-top-navigation
_top).allow-top-navigation-by-user-activation
allow-top-navigation-to-custom-protocols
http protocols built into browser or registered by a website. This feature is also activated by allow-popups or allow-top-navigation keyword.[!NOTE]
- When the embedded document has the same origin as the embedding page, it is strongly discouraged to use both
allow-scriptsandallow-same-origin, as that lets the embedded document remove thesandboxattribute — making it no more secure than not using thesandboxattribute at all.- Sandboxing is useless if the attacker can display content outside a sandboxed
iframe— such as if the viewer opens the frame in a new tab. Such content should be also served from a separate origin to limit potential damage.
[!NOTE] When redirecting the user, opening a popup window, or opening a new tab from an embedded page within an
<iframe>with thesandboxattribute, the new browsing context is subject to the samesandboxrestrictions. This can create issues — for example, if a page embedded within an<iframe>without asandbox="allow-forms"orsandbox="allow-popups-to-escape-sandbox"attribute set on it opens a new site in a separate tab, form submission in that new browsing context will silently fail.
src
: The URL of the page to embed. Use a value of about:blank to embed an empty page that conforms to the same-origin policy. Also note that programmatically removing an <iframe>'s src attribute (e.g., via {{domxref("Element.removeAttribute()")}}) causes about:blank to be loaded in the frame in Firefox (from version 65), Chromium-based browsers, and Safari/iOS.
[!NOTE] The
about:blankpage uses the embedding document's URL as its base URL when resolving any relative URLs, such as anchor links.
srcdoc
: Inline HTML to embed, overriding the src attribute. Its content should follow the syntax of a full HTML document, which includes the doctype directive, <html>, <body> tags, etc., although most of them can be omitted, leaving only the body content. This doc will have about:srcdoc as its location. If a browser does not support the srcdoc attribute, it will fall back to the URL in the src attribute.
[!NOTE] The
about:srcdocpage uses the embedding document's URL as its base URL when resolving any relative URLs, such as anchor links.
width
300.These attributes are deprecated and may no longer be supported by all user agents. You should not use them in new content, and try to remove them from existing content.
align {{deprecated_inline}}
frameborder {{deprecated_inline}}
1 (the default) draws a border around this frame. The value 0 removes the border around this frame, but you should instead use the CSS property {{cssxref("border")}} to control <iframe> borders.longdesc {{deprecated_inline}}
marginheight {{deprecated_inline}}
marginwidth {{deprecated_inline}}
scrolling {{deprecated_inline}}
auto
yes
no
Inline frames, like {{HTMLElement("frame")}} elements, are included in the {{domxref("window.frames")}} pseudo-array.
With the DOM {{domxref("HTMLIFrameElement")}} object, scripts can access the {{domxref("window")}} object of the framed resource via the {{domxref("HTMLIFrameElement.contentWindow", "contentWindow")}} property. The {{domxref("HTMLIFrameElement.contentDocument", "contentDocument")}} property refers to the document inside the <iframe>, same as contentWindow.document.
From the inside of a frame, a script can get a reference to its parent window with {{domxref("window.parent")}}.
Script access to a frame's content is subject to the same-origin policy.
Scripts cannot access most properties in other window objects if the script was loaded from a different origin, including scripts inside a frame accessing the frame's parent.
Cross-origin communication can be achieved using {{domxref("Window.postMessage()")}}.
Scripts running in a same-origin frame can access the {{domxref("Window.top")}} property and set {{domxref("Window.location","window.top.location")}} to redirect the top-level page to a new location. This behavior is referred to as "top navigation".
A cross-origin frame is allowed to redirect the top-level page using top only if the frame has {{glossary("sticky activation")}}.
If top navigation is blocked, browsers may either prompt for user permission to redirect or report the error in the developer console (or both).
This restriction by browsers is called framebusting intervention.
What this means is that a cross-origin frame can't immediately redirect the top-level page — the user must have previously interacted with the frame or granted permission to redirect.
A sandboxed frame blocks all top navigation unless the sandbox attribute values are set to allow-top-navigation or allow-top-navigation-by-user-activation.
Note that top-navigation permissions are inherited, so a nested frame can perform a top navigation only if its parent frames are also allowed to.
Being a {{ glossary("replaced elements", "replaced element")}}, the <iframe> allows the position of the embedded document within its box to be adjusted using the {{cssxref("object-position")}} property.
[!NOTE] The {{cssxref("object-fit")}} property has no effect on
<iframe>elements.
error and load event behaviorThe error and load events fired on <iframe>s could be used to probe the URL space of the local network's HTTP servers. Therefore, as a security precaution user agents do not fire the error event on <iframe>s, and the load event is always triggered even if the <iframe> content fails to load.
People navigating with assistive technology such as a screen reader can use the title attribute on an <iframe> to label its content. The title's value should concisely describe the embedded content:
<iframe
title="Wikipedia page for Avocados"
src="https://en.wikipedia.org/wiki/Avocado"></iframe>
Without this title, they have to navigate into the <iframe> to determine what its embedded content is. This context shift can be confusing and time-consuming, especially for pages with multiple <iframe>s and/or if embeds contain interactive content like video or audio.
This example embeds the page at https://example.org in an iframe. This is a common use case of iframes: to embed content from another site. For example, the live sample itself, and the try it example at the top, are both <iframe> embeds of content from another MDN site.
<iframe
src="https://example.org"
title="iframe Example 1"
width="400"
height="300">
</iframe>
{{ EmbedLiveSample('A_basic_iframe', 640,400)}}
This example directly renders source code in an iframe. This can be used as a technique to prevent script injection when displaying user-generated content, when combined with the sandbox attribute.
Note that when using srcdoc, any relative URLs in the embedded content will be resolved relative to the URL of the embedding page. If you want to use anchor links that point to places in the embedded content, you need to explicitly specify about:srcdoc as the base URL.
<article>
<footer>Nine minutes ago, <i>jc</i> wrote:</footer>
<iframe
sandbox
srcdoc="<p>There are two ways to use the <code>iframe</code> element:</p>
<ol>
<li><a href="about:srcdoc#embed_another">To embed content from another page</a></li>
<li><a href="about:srcdoc#embed_user">To embed user-generated content</a></li>
</ol>
<h2 id="embed_another">Embedding content from another page</h2>
<p>Use the <code>src</code> attribute to specify the URL of the page to embed:</p>
<pre><code>&lt;iframe src="https://example.org"&gt;&lt;/iframe&gt;</code></pre>
<h2 id="embed_user">Embedding user-generated content</h2>
<p>Use the <code>srcdoc</code> attribute to specify the content to embed. This post is already an example!</p>
"
width="500"
height="250"
></iframe>
</article>
Here's how to write escape sequences when using srcdoc:
<, >, &, etc.).< and < represent the exact same character in the srcdoc attribute. Therefore, to make it an actual escape sequence in the HTML document, replace any ampersands (&) with &. For example, < becomes &lt;, and & becomes &amp;.") with " to prevent the srcdoc attribute from being prematurely terminated (if you use ' instead, then you should replace ' with ' instead). This step happens after the previous one, so " generated in this step doesn't become &quot;.{{ EmbedLiveSample('Embedding_source_code_in_an_iframe', 640, 300)}}
{{Specifications}}
{{Compat}}