I've been reading up on HTML5's sandbox attribute for <iframe>s. According to the documentation the sandbox attribute allows a developer to selectively restrict what actions can be done in an <iframe>. Is the sandbox attribute purely a security measure? Does the sandbox attribute enable web designers to implement any new functionality and if so can anyone point to any examples?
Well, it is purely a security feature, but it does allow new functionality as well. Take for example embedding third party (user) content (e.g. HTML files). Traditionally you would need to set up a separate domain from which you would serve that content, now however you can simply serve it from wherever you want to and have it treated as if it's from a separate domain.
On top of that it can prevent this third party content from doing certain things, which you could not have prevented previously like:
allow-top-navigation: Preventing it from breaking outallow-pointer-lock: Preventing it from taking the cursor hostageallow-popups: Preventing it from breaking out through popupsallow-scripts: Simply blocking all scripts (could also have been done through CSP)Realistically the combination of the sandbox attribute combined with controlled CSP headers gives an incredible amount of control to run third party code in a safe environment. It's not 100% there yet, but we're getting quite close.