<iframe>: The Inline Frame element #

::: section-content The <iframe> HTML element represents a nested browsing context, embedding another HTML page into the current one. :::

Try it #

::: section-content ::: iframe ::: {.output-header .border-rounded-top}

HTML Demo: <iframe> #

Reset :::

::: {#warning-no-script .warning-container} ::: warning The interactive example cannot be shown because JavaScript is disabled. ::: :::

::: {#warning-mathml-not-supported .warning-container .hidden} ::: warning The interactive example cannot be shown because MathML is not supported by your browser. ::: :::

::: {#editor-container .editor-container .tabbed-standard .hidden .border-rounded-bottom editor-type=“tabbed”} ::: {#tab-container .section .tabs} ::: {#tablist .tab-list role=“tablist”} HTML

CSS

JavaScript :::

::: {#html-panel .section .hidden tabindex=“0” role=“tabpanel” aria-labelledby=“html” aria-hidden=“true”} ::: {#html-editor} ::: :::

::: {#css-panel .section .hidden tabindex=“0” role=“tabpanel” aria-labelledby=“css” aria-hidden=“true”} ::: {#css-editor} iframe { border: 1px solid black; width: 100%; /* takes precedence over the width set with the HTML width attribute */ } ::: :::

::: {#js-panel .section .hidden tabindex=“0” role=“tabpanel” aria-labelledby=“js” aria-hidden=“true”} ::: {#js-editor} ::: ::: :::

::: {#output .output-container}

Output #

::: :::

::: {.section .console-container .hidden aria-hidden=“true”}

Console Output #

![] clear console

::: {#console .console} ::: :::

::: {#html-output .output .editor-tabbed} %html-content% ::: :::

Each embedded browsing context has its own document and allows URL navigations. The navigations of each embedded browsing context are linearized into the session history of the topmost browsing context. The browsing context that embeds the others is called the parent browsing context. The topmost browsing context — the one with no parent — is usually the browser window, represented by the Window object.

::: {#sect1 .notecard .warning} Warning: Because each browsing context is a complete document environment, every <iframe> in a page requires increased memory and other computing resources. While theoretically you can use as many <iframe>s as you like, check for performance problems. ::: :::

Attributes #

::: section-content This element includes the global attributes.

allow

Specifies a Permissions Policy for the <iframe>. The policy defines what features are available to the <iframe> (for example, access to the microphone, camera, battery, web-share, etc.) based on the origin of the request.

::: {#sect2 .notecard .note} Note: A Permissions Policy specified by the allow attribute implements a further restriction on top of the policy specified in the Permissions-Policy header. It doesn't replace it. :::

allowfullscreen

Set to true if the <iframe> can activate fullscreen mode by calling the requestFullscreen() method.

::: {#sect3 .notecard .note} Note: This attribute is considered a legacy attribute and redefined as allow="fullscreen". :::

allowpaymentrequest [Experimental]{.visually-hidden}

Set to true if a cross-origin <iframe> should be allowed to invoke the Payment Request API.

::: {#sect4 .notecard .note} Note: This attribute is considered a legacy attribute and redefined as allow="payment". :::

credentialless [Experimental]{.visually-hidden} [Non-standard]{.visually-hidden}

Set to true to make the <iframe> credentialless, meaning that its content will be loaded in a new, ephemeral context. It doesn't have access to the network, cookies, and storage data associated with its origin. It uses a new context local to the top-level document lifetime. In return, the Cross-Origin-Embedder-Policy (COEP) embedding rules can be lifted, so documents with COEP set can embed third-party documents that do not. See IFrame credentialless for more details.

csp [Experimental]{.visually-hidden}

A Content Security Policy enforced for the embedded resource. See HTMLIFrameElement.csp for details.

height

The height of the frame in CSS pixels. Default is 150.

loading

Indicates how the browser should load the iframe:

• eager: Load the iframe immediately, regardless if it is outside the visible viewport (this is the default value).
• lazy: Defer loading of the iframe until it reaches a calculated distance from the viewport, as defined by the browser.

name

A targetable name for the embedded browsing context. This can be used in the target attribute of the <a>, <form>, or <base> elements; the formtarget attribute of the <input> or <button> elements; or the windowName parameter in the window.open() method.

referrerpolicy

Indicates which referrer to send when fetching the frame's resource:

• no-referrer: The Referer header will not be sent.
• no-referrer-when-downgrade: The Referer header will not be sent to origins without TLS ( HTTPS).
• origin: The sent referrer will be limited to the origin of the referring page: its scheme, host, and port.
• origin-when-cross-origin: The referrer sent to other origins will be limited to the scheme, the host, and the port. Navigations on the same origin will still include the path.
• same-origin: A referrer will be sent for same origin, but cross-origin requests will contain no referrer information.
• strict-origin: Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don't send it to a less secure destination (HTTPS→HTTP).
• strict-origin-when-cross-origin (default): Send a full URL when performing a same-origin request, only send the origin when the protocol security level stays the same (HTTPS→HTTPS), and send no header to a less secure destination (HTTPS→HTTP).
• unsafe-url: The referrer will include the origin and the path (but not the fragment, password, or username). This value is unsafe, because it leaks origins and paths from TLS-protected resources to insecure origins.

sandbox

Controls the restrictions applied to the content embedded in the <iframe>. The value of the attribute can either be empty to apply all restrictions, or space-separated tokens to lift particular restrictions:

• allow-downloads: Allows downloading files through an <a> or <area> element with the download attribute, as well as through the navigation that leads to a download of a file. This works regardless of whether the user clicked on the link, or JS code initiated it without user interaction.
• allow-downloads-without-user-activation [Experimental]{.visually-hidden} : Allows for downloads to occur without a gesture from the user.
• allow-forms: Allows the page to submit forms. If this keyword is not used, form will be displayed as normal, but submitting it will not trigger input validation, sending data to a web server or closing a dialog.
• allow-modals: Allows the page to open modal windows by Window.alert(), Window.confirm(), Window.print() and Window.prompt(), while opening a <dialog> is allowed regardless of this keyword. It also allows the page to receive BeforeUnloadEvent event.
• allow-orientation-lock: Lets the resource lock the screen orientation.
• allow-pointer-lock: Allows the page to use the Pointer Lock API.
• allow-popups: Allows popups (like from Window.open(), target="_blank", Window.showModalDialog()). If this keyword is not used, that functionality will silently fail.
• allow-popups-to-escape-sandbox: Allows a sandboxed document to open new windows without forcing the sandboxing flags upon them. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon the page the ad links to.
• allow-presentation: Allows embedders to have control over whether an iframe can start a presentation session.
• allow-same-origin: If this token is not used, the resource is treated as being from a special origin that always fails the same-origin policy (potentially preventing access to data storage/cookies and some JavaScript APIs).
• allow-scripts: Allows the page to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.
• allow-storage-access-by-user-activation [Experimental]{.visually-hidden} : Allows a document loaded in the <iframe> to use the Storage Access API to request access to unpartitioned cookies.
• allow-top-navigation: Lets the resource navigate the top-level browsing context (the one named _top).
• allow-top-navigation-by-user-activation: Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.
• allow-top-navigation-to-custom-protocols: Allows navigations to non-http protocols built into browser or registered by a website. This feature is also activated by allow-popups or allow-top-navigation keyword.

::: {#sect5 .notecard .note} Note:

• When the embedded document has the same origin as the embedding page, it is strongly discouraged to use both allow-scripts and allow-same-origin, as that lets the embedded document remove the sandbox attribute — making it no more secure than not using the sandbox attribute at all.
• Sandboxing is useless if the attacker can display content outside a sandboxed iframe — such as if the viewer opens the frame in a new tab. Such content should be also served from a separate origin to limit potential damage. :::

src

The URL of the page to embed. Use a value of about:blank to embed an empty page that conforms to the same-origin policy. Also note that programmatically removing an <iframe>'s src attribute (e.g. via Element.removeAttribute()) causes about:blank to be loaded in the frame in Firefox (from version 65), Chromium-based browsers, and Safari/iOS.

srcdoc

Inline HTML to embed, overriding the src attribute. If a browser does not support the srcdoc attribute, it will fall back to the URL in the src attribute.

width

The width of the frame in CSS pixels. Default is 300. :::

Deprecated attributes #

::: section-content These attributes are deprecated and may no longer be supported by all user agents. You should not use them in new content, and try to remove them from existing content.

align [Deprecated]{.visually-hidden}

The alignment of this element with respect to the surrounding context.

frameborder [Deprecated]{.visually-hidden}

The value 1 (the default) draws a border around this frame. The value 0 removes the border around this frame, but you should instead use the CSS property border to control <iframe> borders.

longdesc [Deprecated]{.visually-hidden}

A URL of a long description of the frame's content. Due to widespread misuse, this is not helpful for non-visual browsers.

marginheight [Deprecated]{.visually-hidden}

The amount of space in pixels between the frame's content and its top and bottom borders.

marginwidth [Deprecated]{.visually-hidden}

The amount of space in pixels between the frame's content and its left and right borders.

scrolling [Deprecated]{.visually-hidden}

Indicates when the browser should provide a scrollbar for the frame:

• auto: Only when the frame's content is larger than its dimensions.
• yes: Always show a scrollbar.
• no: Never show a scrollbar. :::

Scripting #

::: section-content Inline frames, like <frame> elements, are included in the window.frames pseudo-array.

With the DOM HTMLIFrameElement object, scripts can access the window object of the framed resource via the contentWindow property. The contentDocument property refers to the document inside the <iframe>, same as contentWindow.document.

From the inside of a frame, a script can get a reference to its parent window with window.parent.

Script access to a frame's content is subject to the same-origin policy. Scripts cannot access most properties in other window objects if the script was loaded from a different origin, including scripts inside a frame accessing the frame's parent. Cross-origin communication can be achieved using Window.postMessage(). :::

Positioning and scaling #

::: section-content As a replaced element, the position, alignment, and scaling of the embedded document within the <iframe> element's box, can be adjusted with the object-position and object-fit properties. :::

Examples #

A simple <iframe> #

::: section-content This example embeds the page at https://example.org{target="_blank"} in an iframe.

HTML #

::: code-example [html]{.language-name}

<iframe
  src="https://example.org"
  title="iframe Example 1"
  width="400"
  height="300">
</iframe>

:::

Result #

::: {#sect6 .code-example} ::: iframe ::: ::: :::

Accessibility concerns #

::: section-content People navigating with assistive technology such as a screen reader can use the title attribute on an <iframe> to label its content. The title's value should concisely describe the embedded content:

::: code-example [html]{.language-name}

<iframe
  title="Wikipedia page for Avocados"
  src="https://en.wikipedia.org/wiki/Avocado"></iframe>

:::

Without this title, they have to navigate into the <iframe> to determine what its embedded content is. This context shift can be confusing and time-consuming, especially for pages with multiple <iframe>s and/or if embeds contain interactive content like video or audio. :::

Technical summary #

::: section-content

Specifications #

::: _table #

Specification #

HTML Standard
[# the-iframe-element]{.small}

:::

Browser compatibility #

::: _table #

                                 Desktop                                                                                                                                                          Mobile                                                                                                                                                     

                                 Chrome     Edge   Firefox                              Internet   Opera      Safari                                                                              WebView     Chrome     Firefox for Android                  Opera      Safari on IOS                                                                       Samsung
                                                                                        Explorer                                                                                                  Android     Android                                         Android                                                                                        Internet

iframe 1 12 1 Yes ≤15 ≤4 4.4 18 4 ≤14 ≤3.2 1.0

                                                   The `resize` CSS property doesn\'t                         Safari has a                                                                                               The `resize` CSS property doesn\'t              Safari has a                                                                        
                                                   have any effect on this element due                        [bug](https://www.quirksmode.org/bugreports/archives/2005/02/hidden_iframes.html)                          have any effect on this element due             [bug](https://www.quirksmode.org/bugreports/archives/2005/02/hidden_iframes.html)   
                                                   to [bug                                                    that prevents iframes from loading if the `iframe` element was hidden when added to                        to [bug                                         that prevents iframes from loading if the `iframe` element was hidden when added to 
                                                   680823](https://bugzil.la/680823).                         the page. `iframeElement.src = iframeElement.src` should cause it to load the                              680823](https://bugzil.la/680823).              the page. `iframeElement.src = iframeElement.src` should cause it to load the       
                                                                                                              iframe.                                                                                                                                                    iframe.                                                                             

align 1 12 1 Yes 15 3 4.4 18 4 14 2 1.0

allow 60 79 74 No 47 11.1 60 60 No 44 11.3 8.0

allowfullscreen 3817–38 12 189–18 11 2515–25 10.15.1 384.4–38 3818–38 189–18 2514–25 12 3.01.0–3.0

                                                                                                                                                                                                                                                                         Only available on iPad, not on iPhone.                                              

allowpaymentrequest 60 79 56–83 No 47 No 60 60 56–83 44 No 8.0

credentialless 110 110 No No 96 No 110 110 No 74 No 21.0

external_protocol_urls_blocked No No 67 No No No No No 67 No No No

frameborder 1 12 1 Yes 15 3 4.4 18 4 14 2 1.0

height 1 12 1 Yes 15 3 4.4 18 4 14 2 1.0

loading 77 79 No No 64 16.4 77 77 No 55 16.4 12.0

longdesc 1 12 1 Yes 15 3 4.4 18 4 14 2 1.0

marginheight 1 12 1 Yes 15 3 4.4 18 4 14 2 1.0

marginwidth 1 12 1 Yes 15 3 4.4 18 4 14 2 1.0

name 1 12 1 Yes 15 3 4.4 18 4 14 2 1.0

referrerpolicy 51 79 50 No 38 14 51 51 50 41 14 7.2

sandbox 4 12 17 10 15 5 4.4 18 17 14 4.2 1.0

scrolling 1 12 1 Yes 15 3 4.4 18 4 14 2 1.0

src 1 12 1 Yes 15 ≤4 4.4 18 4 14 ≤3.2 1.0

srcdoc 20 79 25 No 15 6 37 25 25 No No 1.5

width 1 12 1 Yes 15 3 4.4 18 4 14 2 1.0 #

:::

See also #

::: section-content

• CSP: frame-ancestors
• Privacy, permissions, and information security :::

::: _attribution © 2005–2023 MDN contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe{._attribution-link} :::