W3cubDocs

/HTML

<iframe>

The <iframe> represents a nested browsing context, embedding another HTML page into the current one.

Each embedded browsing context has its own session history and document. The browsing context that embeds the others is called the parent browsing context. The topmost browsing context — the one with no parent — is usually the browser window, represented by the Window object.

Because each browsing context is a complete document environment, every <iframe> in a page requires increased memory and other computing resources. While theoretically you can use as many <iframe>s as you like, check for performance problems.

Content categories Flow content, phrasing content, embedded content, interactive content, palpable content.
Permitted content None.
Tag omission None, both the starting and ending tag are mandatory.
Permitted parents Any element that accepts embedded content.
Implicit ARIA role No corresponding role
Permitted ARIA roles application, document, img, none, presentation
DOM interface HTMLIFrameElement

Attributes

This element includes the global attributes.

allow
Specifies a feature policy for the <iframe>. The policy defines what features are available to the <iframe> based on the origin of the request (e.g. access to the microphone, camera, battery, web-share API, etc.).

For more information and examples see: Using Feature Policy > The iframe allow attribute.
allowfullscreen
Set to true if the <iframe> can activate fullscreen mode by calling the requestFullscreen() method.
This attribute is considered a legacy attribute and redefined as allow="fullscreen".
allowpaymentrequest
Set to true if a cross-origin <iframe> should be allowed to invoke the Payment Request API.
This attribute is considered a legacy attribute and redefined as allow="payment".
csp
A Content Security Policy enforced for the embedded resource. See HTMLIFrameElement.csp for details.
height
The height of the frame in CSS pixels. Default is 150.
loading
Indicates how the browser should load the iframe:
  • eager: Load the iframe immediately, regardless if it is outside the visible viewport (this is the default value).
  • lazy: Defer loading of the iframe until it reaches a calculated distance from the viewport, as defined by the browser.
name
A targetable name for the embedded browsing context. This can be used in the target attribute of the <a>, <form>, or <base> elements; the formtarget attribute of the <input> or <button> elements; or the windowName parameter in the window.open() method.
referrerpolicy
Indicates which referrer to send when fetching the frame's resource:
  • no-referrer: The Referer header will not be sent.
  • no-referrer-when-downgrade (default): The Referer header will not be sent to origins without TLS (HTTPS).
  • origin: The sent referrer will be limited to the origin of the referring page: its scheme, host, and port.
  • origin-when-cross-origin: The referrer sent to other origins will be limited to the scheme, the host, and the port. Navigations on the same origin will still include the path.
  • same-origin: A referrer will be sent for same origin, but cross-origin requests will contain no referrer information.
  • strict-origin: Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don't send it to a less secure destination (HTTPS→HTTP).
  • strict-origin-when-cross-origin: Send a full URL when performing a same-origin request, only send the origin when the protocol security level stays the same (HTTPS→HTTPS), and send no header to a less secure destination (HTTPS→HTTP).
  • unsafe-url: The referrer will include the origin and the path (but not the fragment, password, or username). This value is unsafe, because it leaks origins and paths from TLS-protected resources to insecure origins.
sandbox
Applies extra restrictions to the content in the frame. The value of the attribute can either be empty to apply all restrictions, or space-separated tokens to lift particular restrictions:
  • allow-downloads-without-user-activation : Allows for downloads to occur without a gesture from the user.
  • allow-downloads: Allows for downloads to occur with a gesture from the user.
  • allow-forms: Allows the resource to submit forms. If this keyword is not used, form submission is blocked.
  • allow-modals: Lets the resource open modal windows.
  • allow-orientation-lock: Lets the resource lock the screen orientation.
  • allow-pointer-lock: Lets the resource use the Pointer Lock API.
  • allow-popups: Allows popups (such as window.open(), target="_blank", or showModalDialog()). If this keyword is not used, the popup will silently fail to open.
  • allow-popups-to-escape-sandbox: Lets the sandboxed document open new windows without those windows inheriting the sandboxing. For example, this can safely sandbox an advertisement without forcing the same restrictions upon the page the ad links to.
  • allow-presentation: Lets the resource start a presentation session.
  • allow-same-origin: If this token is not used, the resource is treated as being from a special origin that always fails the same-origin policy.
  • allow-scripts: Lets the resource run scripts (but not create popup windows).
  • allow-storage-access-by-user-activation : Lets the resource request access to the parent's storage capabilities with the Storage Access API.
  • allow-top-navigation: Lets the resource navigate the top-level browsing context (the one named _top).
  • allow-top-navigation-by-user-activation: Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.
Notes about sandboxing:
  • When the embedded document has the same origin as the embedding page, it is strongly discouraged to use both allow-scripts and allow-same-origin, as that lets the embedded document remove the sandbox attribute — making it no more secure than not using the sandbox attribute at all.
  • Sandboxing is useless if the attacker can display content outside a sandboxed iframe — such as if the viewer opens the frame in a new tab. Such content should be also served from a separate origin to limit potential damage.
  • The sandbox attribute is unsupported in Internet Explorer 9 and earlier.
src
The URL of the page to embed. Use a value of about:blank to embed an empty page that conforms to the same-origin policy. Also note that programatically removing an <iframe>'s src attribute (e.g. via Element.removeAttribute()) causes about:blank to be loaded in the frame in Firefox (from version 65), Chromium-based browsers, and Safari/iOS.
srcdoc
Inline HTML to embed, overriding the src attribute. If a browser does not support the srcdoc attribute, it will fall back to the URL in the src attribute.
width
The width of the frame in CSS pixels. Default is 300.

Deprecated attributes

These attributes are deprecated and may no longer be supported by all user agents. You should not use them in new content, and try to remove them from existing content.

align
The alignment of this element with respect to the surrounding context.
frameborder
The value 1 (the default) draws a border around this frame. The value 0 removes the border around this frame, but you should instead use the CSS property border to control <iframe> borders.
longdesc
A URL of a long description of the frame's content. Due to widespread misuse, this is not helpful for non-visual browsers.
marginheight
The amount of space in pixels between the frame's content and its top and bottom borders.
marginwidth
The amount of space in pixels between the frame's content and its left and right borders.
scrolling
Indicates when the browser should provide a scrollbar for the frame:
  • auto: Only when the frame's content is larger than its dimensions.
  • yes: Always show a scrollbar.
  • no: Never show a scrollbar.

Non-standard attributes

mozbrowser
See bug 1318532 for exposing this to WebExtensions in Firefox.
Makes the <iframe> act like a top-level browser window. See Browser API for details.
Available only to WebExtensions.

Scripting

Inline frames, like <frame> elements, are included in the window.frames pseudo-array.

With the DOM HTMLIFrameElement object, scripts can access the window object of the framed resource via the contentWindow property. The contentDocument property refers to the document inside the <iframe>, same as contentWindow.document.

From the inside of a frame, a script can get a reference to its parent window with window.parent.

Script access to a frame's content is subject to the same-origin policy. Scripts cannot access most properties in other window objects if the script was loaded from a different origin, including scripts inside a frame accessing the frame's parent. Cross-origin communication can be achieved using Window.postMessage().

Positioning and scaling

As a replaced element, the position, alignment, and scaling of the embedded document within the <iframe> element's box, can be adjusted with the object-position and object-fit properties.

Examples

A simple <iframe>

An <iframe> in action. After creating the frame, when the user clicks a button, its title is displayed in an alert.

HTML

<iframe src="https://mdn-samples.mozilla.org/snippets/html/iframe-simple-contents.html"
            title="iframe Example 1" width="400" height="300">
</iframe>

Result

Accessibility concerns

People navigating with assistive technology such as a screen reader can use the title attribute on an <iframe> to label its content. The title's value should concisely describe the embedded content:

<iframe title="Wikipedia page for Avocados" src="https://en.wikipedia.org/wiki/Avocado"></iframe>

Without this title, they have to navigate into the <iframe> to determine what its embedded content is. This context shift can be confusing and time-consuming, especially for pages with multiple <iframe>s and/or if embeds contain interactive content like video or audio.

Specifications

Specification Status Comment
Referrer Policy
The definition of 'referrerpolicy attribute' in that specification.
Candidate Recommendation Added the referrerpolicy attribute.
HTML Living Standard
The definition of '<iframe>' in that specification.
Living Standard
HTML5
The definition of '<iframe>' in that specification.
Recommendation
HTML 4.01 Specification
The definition of '<iframe>' in that specification.
Recommendation
Screen Orientation API Working Draft Adds allow-orientation-lock to the sandbox attribute.

Browser compatibilityUpdate compatibility data on GitHub

Desktop
Chrome Edge Firefox Internet Explorer Opera Safari
iframe 1 12 Yes
Yes
The resize CSS property doesn't have any effect on this element due to bug 680823.
Yes Yes Yes
Yes
Safari has a bug that prevents iframes from loading if the iframe element was hidden when added to the page. iframeElement.src = iframeElement.src should cause it to load the iframe.
align 1 12 Yes Yes Yes Yes
allow 60 79 74 No 47 11.1
allowfullscreen 27
27
17 — 38
Prefixed
Prefixed Implemented with the vendor prefix: webkit
≤79
≤79
12 — 79
Prefixed
Prefixed Implemented with the vendor prefix: ms
18
18
9
Prefixed
Prefixed Implemented with the vendor prefix: moz
11
Prefixed
11
Prefixed
Prefixed Implemented with the vendor prefix: ms
≤15
≤15
15 — 25
Prefixed
Prefixed Implemented with the vendor prefix: webkit
7
7
Yes
Prefixed
Prefixed Implemented with the vendor prefix: webkit
allowpaymentrequest No No No No No No
Aspect ratio computed from width and height attributes 79 79 71
71
69 — 71
Disabled
Disabled From version 69 until version 71 (exclusive): this feature is behind the layout.css.width-and-height-map-to-aspect-ratio.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
No 66 14
External protocol URLs blocked ? ? 67 ? ? ?
frameborder 1 12 Yes Yes Yes Yes
height 1 12 Yes Yes Yes Yes
loading 76 79 No No 63 No
No
See bug 196698
longdesc 1 12 Yes Yes Yes Yes
marginheight 1 12 Yes Yes Yes Yes
marginwidth 1 12 Yes Yes Yes Yes
name 1 12 Yes Yes Yes Yes
referrerpolicy 51 79 50 No 38 11.1
sandbox 4 12 17 10 15 5
sandbox="allow-downloads" 83 83 82 No ? No
sandbox="allow-modals" ? ? 49 No ? ?
sandbox="allow-popups" Yes ≤18 28 ? Yes ?
sandbox="allow-popups-to-escape-sandbox" 46 79 49 No 32 ?
sandbox="allow-presentation" 53 79 50 No 40 ?
sandbox="allow-storage-access-by-user-activation" No No 65
Disabled
65
Disabled
Disabled From version 65: this feature is behind the dom.storage_access.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
No No 11.1
sandbox="allow-top-navigation-by-user-activation" 58 79 79 No 45 11.1
11.1
Not initially available in 11.1, but added in sub-version 13605.1.33.1.2.
scrolling 1 12 Yes Yes Yes Yes
src 1 12 Yes Yes Yes Yes
srcdoc 20 79 25 No 15 6
width 1 12 Yes Yes Yes Yes
Mobile
Android webview Chrome for Android Firefox for Android Opera for Android Safari on iOS Samsung Internet
iframe Yes Yes Yes
Yes
The resize CSS property doesn't have any effect on this element due to bug 680823.
Yes Yes
Yes
Safari has a bug that prevents iframes from loading if the iframe element was hidden when added to the page. iframeElement.src = iframeElement.src should cause it to load the iframe.
Yes
align Yes Yes Yes Yes Yes Yes
allow 60 60 No 44 11.3 8.0
allowfullscreen 37
37
37 — 38
Prefixed
Prefixed Implemented with the vendor prefix: webkit
27
27
18 — 38
Prefixed
Prefixed Implemented with the vendor prefix: webkit
18
18
9
Prefixed
Prefixed Implemented with the vendor prefix: moz
≤14
≤14
14 — 25
Prefixed
Prefixed Implemented with the vendor prefix: webkit
7
7
Yes
Prefixed
Prefixed Implemented with the vendor prefix: webkit
1.5
1.5
1.0 — 3.0
Prefixed
Prefixed Implemented with the vendor prefix: webkit
allowpaymentrequest No No No No No No
Aspect ratio computed from width and height attributes 79 79 79 57 14 12.0
External protocol URLs blocked ? ? 67 ? ? ?
frameborder Yes Yes Yes Yes Yes Yes
height Yes Yes Yes Yes Yes Yes
loading No 76 No 54 No
No
See bug 196698
No
longdesc Yes Yes Yes Yes Yes Yes
marginheight Yes Yes Yes Yes Yes Yes
marginwidth Yes Yes Yes Yes Yes Yes
name Yes Yes Yes Yes Yes Yes
referrerpolicy 51 51 50 41 No 7.2
sandbox Yes Yes 17 ? 4.2 Yes
sandbox="allow-downloads" 83 83 82 ? No ?
sandbox="allow-modals" ? ? 49 ? ? ?
sandbox="allow-popups" Yes Yes 27 ? ? Yes
sandbox="allow-popups-to-escape-sandbox" 46 46 49 32 ? 5.0
sandbox="allow-presentation" No 53 50 41 ? 6.0
sandbox="allow-storage-access-by-user-activation" No No 65
Disabled
65
Disabled
Disabled From version 65: this feature is behind the dom.storage_access.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
No 11.3 No
sandbox="allow-top-navigation-by-user-activation" 58 58 79 43 ? 7.0
scrolling Yes Yes Yes Yes Yes Yes
src Yes Yes Yes Yes Yes Yes
srcdoc 37 25 25 ? ? 1.5
width Yes Yes Yes Yes Yes Yes

See also

© 2005–2020 Mozilla and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe