: The Inline Frame element</h1> <p><code>{{HTMLSidebar}}</code> </p> <p>The <strong><code><iframe></code></strong> <a href="/en-US/docs/Web/HTML">HTML</a> element represents a nested <code>{{Glossary("browsing context")}}</code> , embedding another HTML page into the current one.</p> <p><code>{{EmbedInteractiveExample("pages/tabbed/iframe.html", "tabbed-standard")}}</code> </p> <p>Each embedded browsing context has its own <a href="/en-US/docs/Web/API/Document">document</a> and allows URL navigations. The navigations of each embedded browsing context are linearized into the <a href="/en-US/docs/Web/API/History">session history</a> of the <em>topmost</em> browsing context. The browsing context that embeds the others is called the <em>parent browsing context</em>. The <em>topmost</em> browsing context — the one with no parent — is usually the browser window, represented by the <code>{{domxref("Window")}}</code> object.</p> <blockquote> <p>[!WARNING] Because each browsing context is a complete document environment, every <code><iframe></code> in a page requires increased memory and other computing resources. While theoretically you can use as many <code><iframe></code>s as you like, check for performance problems.</p> </blockquote> <h2 id="attributes">Attributes</h2> <p>This element includes the <a href="/en-US/docs/Web/HTML/Global_attributes">global attributes</a>.</p> <ul> <li> <p><code>allow</code></p> <ul> <li> <p>: Specifies a <a href="/en-US/docs/Web/HTTP/Permissions_Policy">Permissions Policy</a> for the <code><iframe></code>. The policy defines what features are available to the <code><iframe></code> (for example, access to the microphone, camera, battery, web-share, etc.) based on the origin of the request.</p> <p>See <a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy#iframes">iframes</a> in the <code>Permissions-Policy</code> topic for examples.</p> <blockquote> <p>[!NOTE] A Permissions Policy specified by the <code>allow</code> attribute implements a further restriction on top of the policy specified in the <code>{{httpheader("Permissions-Policy")}}</code> header. It doesn’t replace it.</p> </blockquote> </li> </ul> </li> <li> <p><code>allowfullscreen</code></p> <ul> <li> <p>: Set to <code>true</code> if the <code><iframe></code> can activate fullscreen mode by calling the <code>{{domxref("Element.requestFullscreen", "requestFullscreen()")}}</code> method.</p> <blockquote> <p>[!NOTE] This attribute is considered a legacy attribute and redefined as <code>allow="fullscreen"</code>.</p> </blockquote> </li> </ul> </li> <li> <p><code>allowpaymentrequest</code> <code>{{deprecated_inline}}</code> <code>{{non-standard_inline}}</code> </p> <ul> <li> <p>: Set to <code>true</code> if a cross-origin <code><iframe></code> should be allowed to invoke the <a href="/en-US/docs/Web/API/Payment_Request_API">Payment Request API</a>.</p> <blockquote> <p>[!NOTE] This attribute is considered a legacy attribute and redefined as <code>allow="payment"</code>.</p> </blockquote> </li> </ul> </li> <li> <p><code>browsingtopics</code> <code>{{Experimental_Inline}}</code> <code>{{non-standard_inline}}</code> </p> <ul> <li>: A boolean attribute that, if present, specifies that the selected topics for the current user should be sent with the request for the <code><iframe></code>'s source. See <a href="/en-US/docs/Web/API/Topics_API/Using">Using the Topics API</a> for more details.</li> </ul> </li> <li> <p><code>credentialless</code> <code>{{Experimental_Inline}}</code> </p> <ul> <li>: Set to <code>true</code> to make the <code><iframe></code> credentialless, meaning that its content will be loaded in a new, ephemeral context. It doesn’t have access to the network, cookies, and storage data associated with its origin. It uses a new context local to the top-level document lifetime. In return, the <code>{{httpheader("Cross-Origin-Embedder-Policy")}}</code> (COEP) embedding rules can be lifted, so documents with COEP set can embed third-party documents that do not. See <a href="/en-US/docs/Web/Security/IFrame_credentialless">IFrame credentialless</a> for more details.</li> </ul> </li> <li> <p><code>csp</code> <code>{{experimental_inline}}</code> </p> <ul> <li>: A <a href="/en-US/docs/Web/HTTP/CSP">Content Security Policy</a> enforced for the embedded resource. See <code>{{domxref("HTMLIFrameElement.csp")}}</code> for details.</li> </ul> </li> <li> <p><code>height</code></p> <ul> <li>: The height of the frame in CSS pixels. Default is <code>150</code>.</li> </ul> </li> <li> <p><code>loading</code></p> <ul> <li> <p>: Indicates when the browser should load the iframe:</p> <ul> <li> <p><code>eager</code></p> <ul> <li>: Load the iframe immediately on page load (this is the default value).</li> </ul> </li> <li> <p><code>lazy</code></p> <ul> <li> <p>: Defer loading of the iframe until it reaches a calculated distance from the <code>{{glossary("visual viewport")}}</code> , as defined by the browser. The intent is to avoid using the network and storage bandwidth required to fetch the frame until the browser is reasonably certain that it will be needed. This improves the performance and cost in most typical use cases, in particular by reducing initial page load times.</p> <blockquote> <p>[!NOTE] Loading is only deferred when JavaScript is enabled. This is an anti-tracking measure.</p> </blockquote> </li> </ul> </li> </ul> </li> </ul> </li> <li> <p><code>name</code></p> <ul> <li>: A targetable name for the embedded browsing context. This can be used in the <code>target</code> attribute of the <code>{{HTMLElement("a")}}</code> , <code>{{HTMLElement("form")}}</code> , or <code>{{HTMLElement("base")}}</code> elements; the <code>formtarget</code> attribute of the <code>{{HTMLElement("input")}}</code> or <code>{{HTMLElement("button")}}</code> elements; or the <code>windowName</code> parameter in the <code>{{domxref("Window.open()","window.open()")}}</code> method.</li> </ul> </li> <li> <p><code>referrerpolicy</code></p> <ul> <li> <p>: Indicates which <a href="/en-US/docs/Web/API/Document/referrer">referrer</a> to send when fetching the frame’s resource:</p> <ul> <li><code>no-referrer</code> <ul> <li>: The <code>{{HTTPHeader("Referer")}}</code> header will not be sent.</li> </ul> </li> <li><code>no-referrer-when-downgrade</code> <ul> <li>: The <code>{{HTTPHeader("Referer")}}</code> header will not be sent to <code>{{Glossary("origin")}}</code> s without <code>{{Glossary("TLS")}}</code> (<code>{{Glossary("HTTPS")}}</code> ).</li> </ul> </li> <li><code>origin</code> <ul> <li>: The sent referrer will be limited to the origin of the referring page: its <a href="/en-US/docs/Learn_web_development/Howto/Web_mechanics/What_is_a_URL">scheme</a>, <code>{{Glossary("host")}}</code> , and <code>{{Glossary("port")}}</code> .</li> </ul> </li> <li><code>origin-when-cross-origin</code> <ul> <li>: The referrer sent to other origins will be limited to the scheme, the host, and the port. Navigations on the same origin will still include the path.</li> </ul> </li> <li><code>same-origin</code> <ul> <li>: A referrer will be sent for <code>{{Glossary("Same-origin policy", "same origin")}}</code> , but cross-origin requests will contain no referrer information.</li> </ul> </li> <li><code>strict-origin</code> <ul> <li>: Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don’t send it to a less secure destination (HTTPS→HTTP).</li> </ul> </li> <li><code>strict-origin-when-cross-origin</code> (default) <ul> <li>: Send a full URL when performing a same-origin request, only send the origin when the protocol security level stays the same (HTTPS→HTTPS), and send no header to a less secure destination (HTTPS→HTTP).</li> </ul> </li> <li><code>unsafe-url</code> <ul> <li>: The referrer will include the origin <em>and</em> the path (but not the <a href="/en-US/docs/Web/API/HTMLAnchorElement/hash">fragment</a>, <a href="/en-US/docs/Web/API/HTMLAnchorElement/password">password</a>, or <a href="/en-US/docs/Web/API/HTMLAnchorElement/username">username</a>). <strong>This value is unsafe</strong>, because it leaks origins and paths from TLS-protected resources to insecure origins.</li> </ul> </li> </ul> </li> </ul> </li> <li> <p><code>sandbox</code></p> <ul> <li> <p>: Controls the restrictions applied to the content embedded in the <code><iframe></code>. The value of the attribute can either be empty to apply all restrictions, or space-separated tokens to lift particular restrictions:</p> <ul> <li><code>allow-downloads</code> <ul> <li>: Allows downloading files through an <code>{{HTMLElement("a")}}</code> or <code>{{HTMLElement("area")}}</code> element with the <a href="/en-US/docs/Web/HTML/Element/a#download">download</a> attribute, as well as through the navigation that leads to a download of a file. This works regardless of whether the user clicked on the link, or JS code initiated it without user interaction.</li> </ul> </li> <li><code>allow-forms</code> <ul> <li>: Allows the page to submit forms. If this keyword is not used, a form will be displayed as normal, but submitting it will not trigger input validation, send data to a web server, or close a dialog.</li> </ul> </li> <li><code>allow-modals</code> <ul> <li>: Allows the page to open modal windows by <code>{{domxref("Window.alert()")}}</code> , <code>{{domxref("Window.confirm()")}}</code> , <code>{{domxref("Window.print()")}}</code> and <code>{{domxref("Window.prompt()")}}</code> , while opening a <code>{{HTMLElement("dialog")}}</code> is allowed regardless of this keyword. It also allows the page to receive <code>{{domxref("BeforeUnloadEvent")}}</code> event.</li> </ul> </li> <li><code>allow-orientation-lock</code> <ul> <li>: Lets the resource <a href="/en-US/docs/Web/API/Screen/lockOrientation">lock the screen orientation</a>.</li> </ul> </li> <li><code>allow-pointer-lock</code> <ul> <li>: Allows the page to use the <a href="/en-US/docs/Web/API/Pointer_Lock_API">Pointer Lock API</a>.</li> </ul> </li> <li><code>allow-popups</code> <ul> <li>: Allows popups (like from <code>{{domxref("Window.open()")}}</code> , <code>target="_blank"</code>, <code>{{domxref("Window.showModalDialog()")}}</code> ). If this keyword is not used, that functionality will silently fail.</li> </ul> </li> <li><code>allow-popups-to-escape-sandbox</code> <ul> <li>: Allows a sandboxed document to open a new browsing context without forcing the sandboxing flags upon it. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon the page the ad links to. If this flag is not included, a redirected page, popup window, or new tab will be subject to the same sandbox restrictions as the originating <code><iframe></code>.</li> </ul> </li> <li><code>allow-presentation</code> <ul> <li>: Allows embedders to have control over whether an iframe can start a <a href="/en-US/docs/Web/API/PresentationRequest">presentation session</a>.</li> </ul> </li> <li><code>allow-same-origin</code> <ul> <li>: If this token is not used, the resource is treated as being from a special origin that always fails the <code>{{Glossary("same-origin policy")}}</code> (potentially preventing access to <a href="/en-US/docs/Web/Security/Same-origin_policy#cross-origin_data_storage_access">data storage/cookies</a> and some JavaScript APIs).</li> </ul> </li> <li><code>allow-scripts</code> <ul> <li>: Allows the page to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.</li> </ul> </li> <li><code>allow-storage-access-by-user-activation</code> <code>{{experimental_inline}}</code> <ul> <li>: Allows a document loaded in the <code><iframe></code> to use the <code>{{domxref("Storage Access API", "Storage Access API", "", "nocode")}}</code> to request access to unpartitioned cookies.</li> </ul> </li> <li><code>allow-top-navigation</code> <ul> <li>: Lets the resource navigate the top-level browsing context (the one named <code>_top</code>).</li> </ul> </li> <li><code>allow-top-navigation-by-user-activation</code> <ul> <li>: Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.</li> </ul> </li> <li><code>allow-top-navigation-to-custom-protocols</code> <ul> <li>: Allows navigations to non-<code>http</code> protocols built into browser or <a href="/en-US/docs/Web/API/Navigator/registerProtocolHandler">registered by a website</a>. This feature is also activated by <code>allow-popups</code> or <code>allow-top-navigation</code> keyword.</li> </ul> </li> </ul> <blockquote> <p>[!NOTE]</p> <ul> <li>When the embedded document has the same origin as the embedding page, it is <strong>strongly discouraged</strong> to use both <code>allow-scripts</code> and <code>allow-same-origin</code>, as that lets the embedded document remove the <code>sandbox</code> attribute — making it no more secure than not using the <code>sandbox</code> attribute at all.</li> <li>Sandboxing is useless if the attacker can display content outside a sandboxed <code>iframe</code> — such as if the viewer opens the frame in a new tab. Such content should be also served from a <em>separate origin</em> to limit potential damage.</li> </ul> </blockquote> <blockquote> <p>[!NOTE] When redirecting the user, opening a popup window, or opening a new tab from an embedded page within an <code><iframe></code> with the <code>sandbox</code> attribute, the new browsing context is subject to the same <code>sandbox</code> restrictions. This can create issues — for example, if a page embedded within an <code><iframe></code> without a <code>sandbox="allow-forms"</code> or <code>sandbox="allow-popups-to-escape-sandbox"</code> attribute set on it opens a new site in a separate tab, form submission in that new browsing context will silently fail.</p> </blockquote> </li> </ul> </li> <li> <p><code>src</code></p> <ul> <li> <p>: The URL of the page to embed. Use a value of <code>about:blank</code> to embed an empty page that conforms to the <a href="/en-US/docs/Web/Security/Same-origin_policy#inherited_origins">same-origin policy</a>. Also note that programmatically removing an <code><iframe></code>'s src attribute (e.g. via <code>{{domxref("Element.removeAttribute()")}}</code> ) causes <code>about:blank</code> to be loaded in the frame in Firefox (from version 65), Chromium-based browsers, and Safari/iOS.</p> <blockquote> <p>[!NOTE] The <code>about:blank</code> page uses the embedding document’s URL as its base URL when resolving any relative URLs, such as anchor links.</p> </blockquote> </li> </ul> </li> <li> <p><code>srcdoc</code></p> <ul> <li> <p>: Inline HTML to embed, overriding the <code>src</code> attribute. Its content should follow the syntax of a full HTML document, which includes the doctype directive, <code><html></code>, <code><body></code> tags, etc., although most of them can be omitted, leaving only the body content. This doc will have <code>about:srcdoc</code> as its location. If a browser does not support the <code>srcdoc</code> attribute, it will fall back to the URL in the <code>src</code> attribute.</p> <blockquote> <p>[!NOTE] The <code>about:srcdoc</code> page uses the embedding document’s URL as its base URL when resolving any relative URLs, such as anchor links.</p> </blockquote> </li> </ul> </li> <li> <p><code>width</code></p> <ul> <li>: The width of the frame in CSS pixels. Default is <code>300</code>.</li> </ul> </li> </ul> <h3 id="deprecated-attributes">Deprecated attributes</h3> <p>These attributes are deprecated and may no longer be supported by all user agents. You should not use them in new content, and try to remove them from existing content.</p> <ul> <li> <p><code>align</code> <code>{{deprecated_inline}}</code> </p> <ul> <li>: The alignment of this element with respect to the surrounding context.</li> </ul> </li> <li> <p><code>frameborder</code> <code>{{deprecated_inline}}</code> </p> <ul> <li>: The value <code>1</code> (the default) draws a border around this frame. The value <code>0</code> removes the border around this frame, but you should instead use the CSS property <code>{{cssxref("border")}}</code> to control <code><iframe></code> borders.</li> </ul> </li> <li> <p><code>longdesc</code> <code>{{deprecated_inline}}</code> </p> <ul> <li>: A URL of a long description of the frame’s content. Due to widespread misuse, this is not helpful for non-visual browsers.</li> </ul> </li> <li> <p><code>marginheight</code> <code>{{deprecated_inline}}</code> </p> <ul> <li>: The amount of space in pixels between the frame’s content and its top and bottom borders.</li> </ul> </li> <li> <p><code>marginwidth</code> <code>{{deprecated_inline}}</code> </p> <ul> <li>: The amount of space in pixels between the frame’s content and its left and right borders.</li> </ul> </li> <li> <p><code>scrolling</code> <code>{{deprecated_inline}}</code> </p> <ul> <li> <p>: Indicates when the browser should provide a scrollbar for the frame:</p> <ul> <li><code>auto</code> <ul> <li>: Only when the frame’s content is larger than its dimensions.</li> </ul> </li> <li><code>yes</code> <ul> <li>: Always show a scrollbar.</li> </ul> </li> <li><code>no</code> <ul> <li>: Never show a scrollbar.</li> </ul> </li> </ul> </li> </ul> </li> </ul> <h2 id="scripting">Scripting</h2> <p>Inline frames, like <code>{{HTMLElement("frame")}}</code> elements, are included in the <code>{{domxref("window.frames")}}</code> pseudo-array.</p> <p>With the DOM <code>{{domxref("HTMLIFrameElement")}}</code> object, scripts can access the <code>{{domxref("window")}}</code> object of the framed resource via the <code>{{domxref("HTMLIFrameElement.contentWindow", "contentWindow")}}</code> property. The <code>{{domxref("HTMLIFrameElement.contentDocument", "contentDocument")}}</code> property refers to the <code>document</code> inside the <code><iframe></code>, same as <code>contentWindow.document</code>.</p> <p>From the inside of a frame, a script can get a reference to its parent window with <code>{{domxref("window.parent")}}</code> .</p> <p>Script access to a frame’s content is subject to the <a href="/en-US/docs/Web/Security/Same-origin_policy">same-origin policy</a>. Scripts cannot access most properties in other <code>window</code> objects if the script was loaded from a different origin, including scripts inside a frame accessing the frame’s parent. Cross-origin communication can be achieved using <code>{{domxref("Window.postMessage()")}}</code> .</p> <h2 id="positioning-and-scaling">Positioning and scaling</h2> <p>Being a <a href="/en-US/docs/Web/CSS/Replaced_element">replaced element</a>, the <code><iframe></code> allows the position of the embedded document within its box to be adjusted using the <code>{{cssxref("object-position")}}</code> property.</p> <blockquote> <p>[!NOTE] The <code>{{cssxref("object-fit")}}</code> property has no effect on <code><iframe></code> elements.</p> </blockquote> <h2 id="error-and-load-event-behavior"><code>error</code> and <code>load</code> event behavior</h2> <p>The <code>error</code> and <code>load</code> events fired on <code><iframe></code>s could be used to probe the URL space of the local network’s HTTP servers. Therefore, as a security precaution user agents do not fire the <a href="/en-US/docs/Web/API/HTMLElement/error_event">error</a> event on <code><iframe></code>s, and the <a href="/en-US/docs/Web/API/HTMLElement/load_event">load</a> event is always triggered even if the <code><iframe></code> content fails to load.</p> <h2 id="accessibility">Accessibility</h2> <p>People navigating with assistive technology such as a screen reader can use the <a href="/en-US/docs/Web/HTML/Global_attributes/title"><code>title</code> attribute</a> on an <code><iframe></code> to label its content. The title’s value should concisely describe the embedded content:</p> <pre class="hljs"><code data-language="html"><span class="hljs-tag"><<span class="hljs-name">iframe</span> <span class="hljs-attr">title</span>=<span class="hljs-string">"Wikipedia page for Avocados"</span> <span class="hljs-attr">src</span>=<span class="hljs-string">"https://en.wikipedia.org/wiki/Avocado"</span>></span><span class="hljs-tag"></<span class="hljs-name">iframe</span>></span> </code></pre> <p>Without this title, they have to navigate into the <code><iframe></code> to determine what its embedded content is. This context shift can be confusing and time-consuming, especially for pages with multiple <code><iframe></code>s and/or if embeds contain interactive content like video or audio.</p> <h2 id="examples">Examples</h2> <h3 id="a-basic-%3Ciframe%3E">A basic <iframe></h3> <p>This example embeds the page at <a href="https://example.org" rel="noopener noreferrer" target="_blank">https://example.org</a> in an iframe. This is a common use case of iframes: to embed content from another site. For example, the live sample itself, and the <a href="#try_it">try it</a> example at the top, are both <code><iframe></code> embeds of content from another MDN site.</p> <h4 id="html">HTML</h4> <pre class="hljs"><code data-language="html"><span class="hljs-tag"><<span class="hljs-name">iframe</span> <span class="hljs-attr">src</span>=<span class="hljs-string">"https://example.org"</span> <span class="hljs-attr">title</span>=<span class="hljs-string">"iframe Example 1"</span> <span class="hljs-attr">width</span>=<span class="hljs-string">"400"</span> <span class="hljs-attr">height</span>=<span class="hljs-string">"300"</span>></span> <span class="hljs-tag"></<span class="hljs-name">iframe</span>></span> </code></pre> <h4 id="result">Result</h4> <p><code>{{ EmbedLiveSample('A_basic_iframe', 640,400)}}</code> </p> <h3 id="embedding-source-code-in-an-%3Ciframe%3E">Embedding source code in an <iframe></h3> <p>This example directly renders source code in an iframe. This can be used as a technique to prevent script injection when displaying user-generated content, when combined with the <code>sandbox</code> attribute.</p> <p>Note that when using <code>srcdoc</code>, any relative URLs in the embedded content will be resolved relative to the URL of the embedding page. If you want to use anchor links that point to places in the embedded content, you need to explicitly specify <code>about:srcdoc</code> as the base URL.</p> <h4 id="html-1">HTML</h4> <pre class="hljs hljs-unregistered"><code data-language="html-nolint"><article> <footer>Nine minutes ago, <i>jc</i> wrote:</footer> <iframe sandbox srcdoc="<p>There are two ways to use the <code>iframe</code> element:</p> <ol> <li><a href=&quot;about:srcdoc#embed_another&quot;>To embed content from another page</a></li> <li><a href=&quot;about:srcdoc#embed_user&quot;>To embed user-generated content</a></li> </ol> <h2 id=&quot;embed_another&quot;>Embedding content from another page</h2> <p>Use the <code>src</code> attribute to specify the URL of the page to embed:</p> <pre><code>&amp;lt;iframe src=&quot;https://example.org&quot;&amp;gt;&amp;lt;/iframe&amp;gt;</code></pre> <h2 id=&quot;embed_user&quot;>Embedding user-generated content</h2> <p>Use the <code>srcdoc</code> attribute to specify the content to embed. This post is already an example!</p> " width="500" height="250" ></iframe> </article> </code></pre> <p>Here’s how to write escape sequences when using <code>srcdoc</code>:</p> <ul> <li>First, write the HTML out, escaping anything you would escape in a normal HTML document (such as <code><</code>, <code>></code>, <code>&</code>, etc.).</li> <li><code>&lt;</code> and <code><</code> represent the exact same character in the <code>srcdoc</code> attribute. Therefore, to make it an actual escape sequence in the HTML document, replace any ampersands (<code>&</code>) with <code>&amp;</code>. For example, <code>&lt;</code> becomes <code>&amp;lt;</code>, and <code>&amp;</code> becomes <code>&amp;amp;</code>.</li> <li>Replace any double quotes (<code>"</code>) with <code>&quot;</code> to prevent the <code>srcdoc</code> attribute from being prematurely terminated (if you use <code>'</code> instead, then you should replace <code>'</code> with <code>&apos;</code> instead). This step happens after the previous one, so <code>&quot;</code> generated in this step doesn’t become <code>&amp;quot;</code>.</li> </ul> <h4 id="result-1">Result</h4> <p><code>{{ EmbedLiveSample('Embedding_source_code_in_an_iframe', 640, 300)}}</code> </p> <h2 id="technical-summary">Technical summary</h2> <table class="properties"> <tbody> <tr> <th scope="row"> <a href="/en-US/docs/Web/HTML/Content_categories" >Content categories</a > </th> <td> <a href="/en-US/docs/Web/HTML/Content_categories#flow_content" >Flow content</a >, <a href="/en-US/docs/Web/HTML/Content_categories#phrasing_content" >phrasing content</a >, embedded content, interactive content, palpable content. </td> </tr> <tr> <th scope="row">Permitted content</th> <td>None.</td> </tr> <tr> <th scope="row">Tag omission</th> <td>None, both the starting and ending tags are mandatory.</td> </tr> <tr> <th scope="row">Permitted parents</th> <td>Any element that accepts embedded content.</td> </tr> <tr> <th scope="row">Implicit ARIA role</th> <td> <a href="https://www.w3.org/TR/html-aria/#dfn-no-corresponding-role" >No corresponding role</a > </td> </tr> <tr> <th scope="row">Permitted ARIA roles</th> <td> <a href="/en-US/docs/Web/Accessibility/ARIA/Roles/application_role"><code>application</code></a>, <a href="/en-US/docs/Web/Accessibility/ARIA/Roles/document_role"><code>document</code></a>, <a href="/en-US/docs/Web/Accessibility/ARIA/Roles/img_role"><code>img</code></a>, <a href="/en-US/docs/Web/Accessibility/ARIA/Roles/none_role"><code>none</code></a>, <a href="/en-US/docs/Web/Accessibility/ARIA/Roles/presentation_role"><code>presentation</code></a> </td> </tr> <tr> <th scope="row">DOM interface</th> <td>`{{domxref("HTMLIFrameElement")}}` </td> </tr> </tbody> </table> <h2 id="specifications">Specifications</h2> <p><code>{{Specifications}}</code> </p> <h2 id="browser-compatibility">Browser compatibility</h2> <p><code>{{Compat}}</code> </p> <h2 id="see-also">See also</h2> <ul> <li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors">CSP: frame-ancestors</a></li> <li><a href="/en-US/docs/Web/Privacy">Privacy, permissions, and information security</a></li> </ul> </article> <right-rail> <h3>In this article</h3> <nav class="table-of-contents"><ol><li><a href="#attributes">Attributes</a><ol><li><a href="#deprecated-attributes">Deprecated attributes</a></li></ol></li><li><a href="#scripting">Scripting</a></li><li><a href="#positioning-and-scaling">Positioning and scaling</a></li><li><a href="#error-and-load-event-behavior">error and load event behavior</a></li><li><a href="#accessibility">Accessibility</a></li><li><a href="#examples">Examples</a><ol><li><a href="#a-basic-%3Ciframe%3E">A basic <iframe></a><ol><li><a href="#html">HTML</a></li><li><a href="#result">Result</a></li></ol></li><li><a href="#embedding-source-code-in-an-%3Ciframe%3E">Embedding source code in an <iframe></a><ol><li><a href="#html-1">HTML</a></li><li><a href="#result-1">Result</a></li></ol></li></ol></li><li><a href="#technical-summary">Technical summary</a></li><li><a href="#specifications">Specifications</a></li><li><a href="#browser-compatibility">Browser compatibility</a></li><li><a href="#see-also">See also</a></li></ol></nav> <small><a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe" target="_blank">View on MDN</a></small> </right-rail> <footer> <p>Content from <a href="https://github.com/mdn/content" target="_blank">MDN Web Docs</a></p> </footer> </body> </html>