logo
AdvancedSandbox and Security in iFrame

Sandbox and Security in iFrame in Elementor

Control sandbox permissions and referrer policy for embedded iFrames in Elementor using the Custom iFrame WordPress plugin.

Overview

Custom iFrame lets you control the security settings for any embedded iFrame in Elementor. Use sandbox permissions to restrict what the embedded content can do, and set a referrer policy to control what information is sent to the embedded site.

Custom iFrame is a WordPress plugin by CoderzStudio that embeds 100+ external sources in Elementor and Gutenberg without writing any code.

Basic sandbox and referrer policy settings are free. Advanced Embed Security options require Custom iFrame Pro.

Using Gutenberg? See Sandbox and Security in iFrame in Gutenberg.

Requirements

What Is the iFrame Sandbox?

The sandbox attribute restricts what an embedded page can do inside your site. By default, Custom iFrame embeds content without a sandbox, so the content behaves as it normally would.

Enabling sandbox restrictions can:

  • Prevent the embedded page from running scripts
  • Block the embedded page from submitting forms
  • Stop popups and redirects from opening
  • Prevent the embed from accessing top-level navigation

Enable restrictions only when you need them. Overly restrictive sandbox settings can break the embedded content.

Step 1: Add the Custom iFrame Widget

Open your page in Elementor

Go to your WordPress dashboard. Open the page where you want the embed. Click Edit with Elementor.

Add the Custom iFrame widget

In the Elementor widget panel, search for Custom iFrame. Drag the widget into your page layout.

Paste the embed URL

In the Content tab on the left panel, paste the URL of the content you want to embed into the Source URL field.

Step 2: Configure Sandbox Permissions

Find the Security section

In the Content tab of the widget panel, scroll down to the Security or Sandbox section.

Enable sandbox restrictions

Toggle Enable Sandbox to on. A list of permission toggles appears.

Allow only the permissions you need

Turn on only the permissions the embedded content requires:

  • Allow Scripts: Let the embedded page run JavaScript.
  • Allow Same Origin: Treat the embed as same-origin. Required for many interactive embeds.
  • Allow Forms: Let the embedded page submit forms.
  • Allow Popups: Let the embed open new windows or tabs.
  • Allow Modals: Let the embed show alert, confirm, or prompt dialogs.
  • Allow Top Navigation: Let the embed redirect the top-level page.
  • Allow Presentation: Allow the embed to use the Presentation API.

Enabling sandbox without turning on Allow Scripts and Allow Same Origin will break most interactive embeds. Start with both enabled and remove permissions only if needed.

Step 3: Set the Referrer Policy

Find the Referrer Policy setting

In the Security section of the widget panel, find the Referrer Policy dropdown.

Choose a policy

Select the policy that fits your privacy requirements:

  • No Referrer: Send no referrer information to the embedded site.
  • No Referrer When Downgrade: Send referrer for HTTPS-to-HTTPS only. Default browser behavior.
  • Origin: Send only the origin (domain), not the full URL path.
  • Origin When Cross Origin: Send full URL for same-origin, domain only for cross-origin.
  • Same Origin: Send referrer only when the embed is on the same origin.
  • Strict Origin: Send origin for HTTPS-to-HTTPS only.
  • Strict Origin When Cross Origin: Recommended for most sites.
  • Unsafe URL: Always send the full URL. Not recommended.

Step 4: Publish

Click Update or Publish. Your sandbox and referrer policy settings are now active on the embedded iFrame.

For all widget settings, see the Set Up Custom iFrame in Elementor guide.

This guide showed you how to configure sandbox permissions and referrer policy in Elementor using the Custom iFrame plugin. These settings let you control exactly what the embedded content can do inside your site.

FAQ

Was this page helpful?

Last updated today

Built with Documentation.AI