<iframe> - Inline Frame Element

The <iframe> Element

Embedded Content HTML 4.0

The iframe element creates a nested browsing context, allowing you to embed another HTML document within the current page. It’s commonly used for embedding third-party content like maps, videos, social media widgets, and external applications.

Caution

Security Critical: Iframes can introduce serious security vulnerabilities if not properly configured. Always use the sandbox attribute and implement Content Security Policy (CSP) when embedding external content.

Quick Example

HTML

<!-- Simple iframe embedding an external page --> <iframe src="https://example.com" width="600" height="400" title="Example website" loading="lazy"> </iframe> <!-- Secure iframe with sandbox --> <iframe src="https://external-app.com" sandbox="allow-scripts allow-same-origin" title="External application" width="100%" height="500"> </iframe>

Result ▶ Run

Syntax

<iframe src="url" title="description"></iframe>

The <iframe> element requires both opening and closing tags. Any content between the tags is displayed only if the browser doesn’t support iframes (rare in modern browsers).

Tip

Always include a title attribute describing the iframe’s content for screen readers and accessibility.

Attributes

Essential Attributes

Attribute	Description	Example
src	URL of the embedded content	src="https://example.com"
title	Accessible description (required)	title="Google Maps location"
width	Width in pixels or percentage	width="600" or width="100%"
height	Height in pixels	height="400"
name	Name for targeting	name="main-frame"

Security Attributes (Critical)

Attribute	Description	Example
sandbox	Enables security restrictions	sandbox="allow-scripts"
allow	Permissions Policy (formerly Feature Policy)	allow="camera; microphone"
referrerpolicy	Controls referrer information	referrerpolicy="no-referrer"
csp	Content Security Policy for iframe	csp="default-src 'self'"

Loading and Display Attributes

Attribute	Description	Example
loading	Lazy loading behavior	loading="lazy" or loading="eager"
srcdoc	Inline HTML content	srcdoc="<p>Hello</p>"
allowfullscreen	Enable fullscreen API	allowfullscreen
allowpaymentrequest	Allow Payment Request API	allowpaymentrequest

Legacy/Styling Attributes

Attribute	Description	Status
frameborder	Border around iframe	Deprecated - use CSS
scrolling	Scrollbar behavior	Deprecated - use CSS
marginwidth, marginheight	Margins	Deprecated - use CSS
align	Alignment	Deprecated - use CSS

Caution

Avoid deprecated attributes. Use CSS for styling iframes instead.

Security Considerations (Critical)

The sandbox Attribute

The sandbox attribute is your primary defense against malicious iframe content. It applies strict restrictions unless explicitly relaxed.

HTML

<!-- Most restrictive: sandbox with no values --> <iframe src="untrusted-content.html" sandbox title="Sandboxed content"> </iframe> <!-- Allow scripts only --> <iframe src="trusted-app.html" sandbox="allow-scripts" title="App with scripts"> </iframe> <!-- Multiple permissions --> <iframe src="interactive-widget.html" sandbox="allow-scripts allow-forms allow-popups" title="Interactive widget"> </iframe>

Result ▶ Run

Sandbox Values

Value	Description	Use Case
(empty)	Maximum restrictions	Untrusted content
allow-scripts	Allow JavaScript execution	Interactive content
allow-same-origin	Allow same-origin access	API calls to parent domain
allow-forms	Allow form submission	Forms and inputs
allow-popups	Allow opening new windows	OAuth flows, external links
allow-popups-to-escape-sandbox	Popups escape sandbox	Payment gateways
allow-top-navigation	Allow navigating parent	Full-page navigation
allow-downloads	Allow file downloads	Document viewers
allow-modals	Allow alert(), confirm()	User confirmations
allow-orientation-lock	Lock screen orientation	Games, video players
allow-pointer-lock	Capture mouse pointer	Games, 3D viewers
allow-presentation	Allow Presentation API	Screen sharing
allow-storage-access-by-user-activation	Storage access after user interaction	Embedded apps

Danger

Critical Security Warning: Never combine allow-scripts and allow-same-origin for untrusted content. This combination allows the iframe to remove its own sandbox attribute via JavaScript, defeating all security measures.

Sandbox Best Practices

Secure

<!-- Untrusted third-party content -->
<iframe
  src="https://third-party.com/widget"
  sandbox="allow-scripts"
  title="Third-party widget">
</iframe>

<!-- User-generated content -->
<iframe
  srcdoc="<h1>User Content</h1>"
  sandbox
  title="User preview">
</iframe>

Dangerous

<!-- NEVER DO THIS with untrusted content! -->
<iframe
  src="https://untrusted-site.com"
  sandbox="allow-scripts allow-same-origin"
  title="Dangerous configuration">
</iframe>

<!-- No sandbox at all! -->
<iframe
  src="https://unknown-source.com"
  title="No protection">
</iframe>

Permissions Policy (allow attribute)

The allow attribute controls which browser features the iframe can access.

HTML

<!-- Disable all features --> <iframe src="https://example.com" allow="" title="No features allowed"> </iframe> <!-- Allow specific features --> <iframe src="https://video-player.com" allow="autoplay; fullscreen; picture-in-picture" title="Video player"> </iframe> <!-- Geolocation for specific origin --> <iframe src="https://maps.example.com" allow="geolocation https://maps.example.com" title="Map with location"> </iframe>

Result ▶ Run

Common Permissions

Permission	Description
camera	Access camera
microphone	Access microphone
geolocation	Access location
autoplay	Autoplay media
fullscreen	Enter fullscreen mode
payment	Payment Request API
usb, bluetooth	Device access
accelerometer, gyroscope	Motion sensors
picture-in-picture	Picture-in-picture mode

Content Security Policy

Implement CSP headers to control iframe sources:

<!-- In HTTP headers or meta tag -->
<meta http-equiv="Content-Security-Policy"
      content="frame-src 'self' https://trusted-domain.com; frame-ancestors 'self';">

CSP Directives for Iframes:

• frame-src: Controls which URLs can be embedded in iframes
• frame-ancestors: Controls which sites can embed YOUR page in an iframe
• child-src: Legacy fallback for frame-src

HTML

<!-- Page that allows being embedded --> <meta http-equiv="Content-Security-Policy" content="frame-ancestors 'self' https://trusted-embedder.com;"> <!-- Page that restricts iframe sources --> <meta http-equiv="Content-Security-Policy" content="frame-src 'self' https://www.youtube.com https://maps.google.com;"> <iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ" title="YouTube video" width="560" height="315"> </iframe>

Result ▶ Run

X-Frame-Options (Legacy)

Older method to prevent clickjacking (replaced by CSP frame-ancestors):

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://trusted-site.com

Note

Prefer CSP frame-ancestors over X-Frame-Options for modern browsers. Include both for backward compatibility.

Cross-Origin Communication

Use postMessage() API for secure cross-origin communication:

HTML

<!-- Parent page --> <iframe id="child-frame" src="https://child-domain.com" title="Child frame"> </iframe> <script> const iframe = document.getElementById('child-frame'); // Send message to iframe iframe.contentWindow.postMessage({ type: 'greeting', message: 'Hello from parent' }, 'https://child-domain.com'); // Receive messages from iframe window.addEventListener('message', (event) => { // CRITICAL: Always verify origin! if (event.origin !== 'https://child-domain.com') { return; } console.log('Received:', event.data); }); </script> <!-- Inside iframe (child-domain.com) --> <script> // Receive messages from parent window.addEventListener('message', (event) => { // CRITICAL: Verify origin! if (event.origin !== 'https://parent-domain.com') { return; } console.log('Parent said:', event.data.message); // Send response event.source.postMessage({ type: 'response', message: 'Hello from child' }, event.origin); }); </script>

Result ▶ Run

Danger

Always validate event.origin in postMessage handlers. Failing to do so creates severe security vulnerabilities.

Common Use Cases

Embedding YouTube Videos

HTML

<!-- Responsive YouTube embed --> <div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;"> <iframe style="position: absolute; top: 0; left: 0; width: 100%; height: 100%;" src="https://www.youtube.com/embed/dQw4w9WgXcQ" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen loading="lazy"> </iframe> </div>

Result ▶ Run

Tip

Use youtube-nocookie.com domain for privacy-enhanced mode that doesn’t track users until they play the video.

Embedding Google Maps

HTML

<iframe src="https://www.google.com/maps/embed?pb=!1m18!1m12!1m3!1d3024.2219901290355!2d-74.00369368400567!3d40.71312937933155!2m3!1f0!2f0!3f0!3m2!1i1024!2i768!4f13.1!3m3!1m2!1s0x89c25a316e2e20c7%3A0xb07b3ba2cc25e3!2sOne%20World%20Trade%20Center!5e0!3m2!1sen!2sus!4v1234567890123!5m2!1sen!2sus" width="600" height="450" style="border:0;" allowfullscreen="" loading="lazy" referrerpolicy="no-referrer-when-downgrade" title="Google Maps - One World Trade Center"> </iframe>

Result ▶ Run

Responsive Iframes

HTML

<style> .iframe-container { position: relative; padding-bottom: 56.25%; /* 16:9 aspect ratio */ height: 0; overflow: hidden; max-width: 100%; } .iframe-container iframe { position: absolute; top: 0; left: 0; width: 100%; height: 100%; border: 0; } /* 4:3 aspect ratio */ .iframe-container.ratio-4-3 { padding-bottom: 75%; } /* 1:1 aspect ratio */ .iframe-container.ratio-1-1 { padding-bottom: 100%; } </style> <div class="iframe-container"> <iframe src="https://example.com" title="Responsive iframe" loading="lazy"> </iframe> </div>

Result ▶ Run

Using srcdoc for Inline Content

HTML

<!-- Inline HTML content --> <iframe srcdoc=" <!DOCTYPE html> <html> <head> <style> body { font-family: Arial; padding: 20px; background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: white; } </style> </head> <body> <h1>Inline Content</h1> <p>This content is defined inline using srcdoc.</p> </body> </html> " sandbox="allow-scripts" title="Inline content example" width="100%" height="200"> </iframe>

Result ▶ Run

Tip

srcdoc is useful for rendering user-generated content safely when combined with the sandbox attribute.

Code Sandboxes

HTML

<!-- CodeSandbox embed --> <iframe src="https://codesandbox.io/embed/vanilla?fontsize=14&hidenavigation=1&theme=dark" style="width:100%; height:500px; border:0; border-radius: 4px; overflow:hidden;" title="Code Sandbox Example" allow="accelerometer; ambient-light-sensor; camera; encrypted-media; geolocation; gyroscope; hid; microphone; midi; payment; usb; vr; xr-spatial-tracking" sandbox="allow-forms allow-modals allow-popups allow-presentation allow-same-origin allow-scripts"> </iframe>

Result ▶ Run

Social Media Embeds

HTML

<!-- Twitter/X embed --> <iframe src="https://platform.twitter.com/embed/Tweet.html?id=123456789" width="550" height="250" style="border: 1px solid #ccc; border-radius: 4px;" title="Twitter post" loading="lazy"> </iframe> <!-- Instagram embed (simplified) --> <iframe src="https://www.instagram.com/p/ABC123/embed" width="400" height="480" frameborder="0" scrolling="no" allowtransparency="true" title="Instagram post" loading="lazy"> </iframe>

Result ▶ Run

Performance Optimization

Lazy Loading

HTML

<!-- Lazy load iframes below the fold --> <iframe src="https://example.com" loading="lazy" title="Lazy loaded content" width="600" height="400"> </iframe> <!-- Eager load critical iframes --> <iframe src="https://critical-content.com" loading="eager" title="Critical content" width="600" height="400"> </iframe>

Result ▶ Run

Loading Strategies:

• loading="lazy": Load when near viewport (default for off-screen iframes)
• loading="eager": Load immediately
• No attribute: Browser decides (usually immediate)

Tip

Lazy loading can improve page load performance by 20-50% when you have multiple iframes below the fold.

Importance Attribute (Experimental)

<!-- Low priority iframe -->
<iframe
  src="https://ads.example.com"
  importance="low"
  loading="lazy">
</iframe>

<!-- High priority iframe -->
<iframe
  src="https://critical-app.com"
  importance="high">
</iframe>

Resource Hints

HTML

<!-- Preconnect to iframe origin --> <link rel="preconnect" href="https://www.youtube.com"> <link rel="dns-prefetch" href="https://www.youtube.com"> <!-- Prefetch iframe content --> <link rel="prefetch" href="https://example.com/iframe-content.html"> <iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ" title="YouTube video" loading="lazy"> </iframe>

Result ▶ Run

Styling Iframes

Basic Styling

HTML

<style> .styled-iframe { width: 100%; height: 400px; border: 3px solid #3b82f6; border-radius: 8px; box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1); } .no-border { border: none; } .with-padding { padding: 20px; background: #f3f4f6; } </style> <div class="with-padding"> <iframe src="https://example.com" class="styled-iframe no-border" title="Styled iframe"> </iframe> </div>

Result ▶ Run

Hiding Until Loaded

HTML

<style> .iframe-wrapper { position: relative; width: 100%; height: 400px; } .iframe-wrapper iframe { position: absolute; top: 0; left: 0; width: 100%; height: 100%; opacity: 0; transition: opacity 0.3s; } .iframe-wrapper iframe.loaded { opacity: 1; } .iframe-wrapper .loading { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); } </style> <div class="iframe-wrapper"> <div class="loading">Loading...</div> <iframe src="https://example.com" title="Iframe with loading state" onload="this.classList.add('loaded'); this.previousElementSibling.style.display='none';"> </iframe> </div>

Result ▶ Run

JavaScript Interaction

Accessing Iframe Content

HTML

<iframe id="my-iframe" src="about:blank" title="Accessible iframe"> </iframe> <script> const iframe = document.getElementById('my-iframe'); // Wait for iframe to load iframe.addEventListener('load', () => { // Access iframe's window (same-origin only!) const iframeWindow = iframe.contentWindow; // Access iframe's document (same-origin only!) const iframeDoc = iframe.contentDocument || iframe.contentWindow.document; // Modify iframe content iframeDoc.body.innerHTML = '<h1>Modified Content</h1>'; }); </script>

Result ▶ Run

Caution

You can only access iframe content if it’s from the same origin or if CORS headers allow it. Cross-origin iframes will throw security errors.

Dynamic Iframe Creation

HTML

<button onclick="createIframe()">Create Iframe</button> <div id="container"></div> <script> function createIframe() { const iframe = document.createElement('iframe'); iframe.src = 'https://example.com'; iframe.title = 'Dynamically created iframe'; iframe.width = '600'; iframe.height = '400'; iframe.setAttribute('sandbox', 'allow-scripts'); iframe.setAttribute('loading', 'lazy'); document.getElementById('container').appendChild(iframe); } </script>

Result ▶ Run

Iframe Resizing

HTML

<!-- Parent page --> <iframe id="resizable-iframe" src="child-page.html" style="width: 100%; border: 1px solid #ccc;" title="Auto-resizing iframe"> </iframe> <script> // Receive height updates from iframe window.addEventListener('message', (event) => { // Verify origin if (event.origin !== 'https://trusted-domain.com') return; if (event.data.type === 'resize') { const iframe = document.getElementById('resizable-iframe'); iframe.style.height = event.data.height + 'px'; } }); </script> <!-- Inside iframe (child-page.html) --> <script> function sendHeight() { const height = document.body.scrollHeight; window.parent.postMessage({ type: 'resize', height: height }, 'https://parent-domain.com'); } // Send height on load and resize window.addEventListener('load', sendHeight); window.addEventListener('resize', sendHeight); // Send height when content changes new ResizeObserver(sendHeight).observe(document.body); </script>

Result ▶ Run

Accessibility

Required: Title Attribute

Accessible

<iframe
  src="https://www.youtube.com/embed/dQw4w9WgXcQ"
  title="Rick Astley - Never Gonna Give You Up (Official Video)"
  width="560"
  height="315">
</iframe>

<iframe
  src="https://maps.google.com/maps?q=london&output=embed"
  title="Google Maps showing London, United Kingdom">
</iframe>

Inaccessible

<!-- NO title - screen readers don't know what this is -->
<iframe
  src="https://www.youtube.com/embed/dQw4w9WgXcQ"
  width="560"
  height="315">
</iframe>

<!-- Generic title - not helpful -->
<iframe
  src="https://maps.google.com"
  title="iframe">
</iframe>

Focus Management

HTML

<!-- Skip iframe in tab order if not interactive --> <iframe src="https://example.com" title="Decorative banner" tabindex="-1"> </iframe> <!-- Allow focus for interactive content (default) --> <iframe src="https://app.example.com" title="Interactive application"> </iframe>

Result ▶ Run

ARIA Roles and Labels

HTML

<!-- Advertisement iframe --> <iframe src="https://ads.example.com" title="Advertisement" role="complementary" aria-label="Sponsored advertisement"> </iframe> <!-- Application iframe --> <iframe src="https://app.example.com" title="Document Editor" role="application" aria-label="Online document editor"> </iframe>

Result ▶ Run

Fallback Content

HTML

<iframe src="https://example.com" title="Example content"> <p> Your browser does not support iframes. <a href="https://example.com">View content here</a>. </p> </iframe>

Result ▶ Run

Browser Support

Feature	Chrome	Firefox	Safari	Edge
Basic <iframe>	1+	1+	1+	12+
sandbox	4+	17+	5+	10+
sandbox tokens	Varies	Varies	Varies	Varies
allow (Permissions Policy)	60+	74+	11.1+	79+
loading	77+	77+	16.4+	79+
srcdoc	20+	25+	6+	79+
referrerpolicy	51+	50+	11.1+	79+
csp	61+	❌	❌	79+

Note

All modern browsers support iframes, but security features like sandbox have varying levels of support. Always test security-critical implementations.

Common Issues and Solutions

Issue: Refused to display in a frame

Error: Refused to display 'https://example.com' in a frame because it set 'X-Frame-Options' to 'deny'.

Solution: The target site prevents embedding. You cannot override this. Options:

1. Contact site owner for permission
2. Use site’s official embed API if available
3. Link to content instead of embedding

Issue: Cross-origin access blocked

Error: Blocked a frame from accessing a cross-origin frame.

Solution: Use postMessage() for cross-origin communication. You cannot directly access cross-origin iframe content.

Issue: Mixed content warning

Error: Mixed Content: The page was loaded over HTTPS, but requested an insecure frame.

Solution: Always use HTTPS for iframe src when parent page is HTTPS:

<!-- Change this -->
<iframe src="http://example.com"></iframe>

<!-- To this -->
<iframe src="https://example.com"></iframe>

Issue: Iframe not responsive

Solution: Use aspect ratio padding technique:

HTML

<style> .responsive-iframe { position: relative; padding-bottom: 56.25%; /* 16:9 */ height: 0; } .responsive-iframe iframe { position: absolute; top: 0; left: 0; width: 100%; height: 100%; } </style> <div class="responsive-iframe"> <iframe src="https://example.com" title="Responsive iframe"> </iframe> </div>

Result ▶ Run

Security Checklist

• Always use sandbox attribute for untrusted content
• Never combine allow-scripts and allow-same-origin for untrusted sources
• Implement CSP with frame-src and frame-ancestors
• Use allow attribute to restrict permissions
• Validate event.origin in postMessage handlers
• Use HTTPS for all iframe sources
• Include descriptive title attribute
• Set referrerpolicy to limit referrer information
• Use loading="lazy" for below-fold iframes
• Regularly audit third-party iframe sources

Related Elements

Embeds external applications and plugins. Learn more →