Description

The HTML <iframe> (Inline Frame) element represents a nested browsing context. It is essentially a window within your window, allowing you to embed a completely separate HTML document into your current page.

Each iframe functions as an independent environment with its own session history, DOM tree, and window object. This isolation is a core feature of the web's security model, known as the Same-Origin Policy, which prevents scripts in the iframe from accessing the parent page's data (and vice versa) unless they share the same origin.

Technically, an iframe is a replaced element, meaning its content is not directly rendered by the CSS box model of the parent page. Instead, the browser reserves a box of a certain size (defined by width and height) and renders the external document inside that box.

Iframes are the industry standard for embedding third-party content such as:

  • Media: YouTube/Vimeo videos and Spotify players.
  • Widgets: Google Maps, Twitter feeds, and weather widgets.
  • Advertising: Most web ads are delivered via sandboxed iframes to prevent them from interfering with the main site.
  • Sandboxed Environments: Using the srcdoc attribute allows you to render untrusted code safely by isolating it from your main application's scope.

From a navigation perspective, each iframe has its own browsing context hierarchy. A script inside an iframe can refer to its parent window using window.parent or the topmost window using window.top. This hierarchy is linearized into the main browser tab's session history, allowing users to use the "Back" button to navigate through iframe transitions.

CSS Display:inline-block

Syntax

<iframe src="https://htmlsave.com/html/iframe-tag" title="Description of content"></iframe>

Popular Attributes

AttributeDescription
srcRequiredSpecifies the path or URL to the resource file.
titleRequiredProvides advisory text, often displayed as a tooltip on hover.
widthSets the display width of the element in pixels or as a percentage.
heightSets the display height of the element in pixels or as a percentage.
sandboxApplies extra restrictions to the content in the iframe. Values: allow-forms, allow-scripts, allow-same-origin, allow-popups, etc.
loadingSpecifies lazy loading behavior. Values: lazy (defers loading until near viewport), eager (loads immediately, default).
allowSpecifies a feature policy for the iframe (e.g. camera, microphone, geolocation).
srcdocSpecifies the HTML content of the page to show in the iframe. Overrides the src attribute.
nameThe name of the form control, used to identify the field when submitting form data.
referrerpolicySpecifies which referrer information to send when fetching the iframe content.
allowfullscreenAllows the iframe to be displayed in full-screen mode.

This element also supports global HTML attributes such as class, id, style, data-*, and more.

Examples

Basic Website Embed
<iframe src="https://htmlsave.com" title="HTMLSave" width="100%" height="400"> </iframe>
A simple embed of an external website. The title attribute is essential for accessibility.
Responsive YouTube Embed
<iframe width="560" height="315" src="https://www.youtube.com/embed/3Yp4zQFDypo" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen> </iframe>
Commonly used to embed videos. The allow attribute handles permissions for hardware access.
Security-Hardened Sandboxed Iframe
<iframe src="https://htmlsave.com" sandbox="allow-scripts allow-forms" title="Secure Embed"> </iframe>
The sandbox attribute restricts what the embedded content can do. Here, only scripts and form submissions are allowed.

Notes

Security & Best Practices

  • The Title Attribute (Crucial for SEO): Always include a descriptive title. Screen readers announce the title to help users understand what the frame contains. Without it, users may find the page confusing.
  • The sandbox Defense: This is your most powerful security tool. Using sandbox="" (empty) blocks all scripts, forms, and popups. You can then selectively re-enable features like allow-scripts or allow-forms as needed.
  • Clickjacking Protection: To prevent others from embedding your site in an iframe (a technique used in "clickjacking" attacks), use the X-Frame-Options: DENY or SAMEORIGIN HTTP header.
  • Communication via postMessage: If you need the parent page to talk to the iframe (or vice-versa), use the window.postMessage() API. This allows secure, cross-origin communication without breaking the Same-Origin Policy.
  • Performance with loading="lazy": Iframes are resource-heavy. Adding loading="lazy" ensures the browser only fetches the iframe content when the user scrolls near it, significantly speeding up the initial page load.

Advantages

  • Isolation: Third-party code cannot interfere with your site's CSS or JavaScript global scope.
  • Parallelism: Browsers can often download iframe content in parallel with the main page.
  • Dynamic Content: Easily switch the src attribute via JavaScript to update embedded content without a full page refresh.

Disadvantages

  • Memory Overhead: Each iframe is essentially a new browser instance; having dozens of them can crash mobile browsers.
  • SEO Limitations: Search engines typically do not index content inside iframes as belonging to the parent page. If the content is vital for SEO, do not use an iframe.
  • Navigation Complexity: Navigating inside an iframe does not always update the browser's main URL, which can break the "Back" button experience.

Related Tags

<object><embed><video><audio>