The following embeds an untrusted web page with all restrictions enabled
<iframe sandbox src="http://example.com/"></iframe>
To allow the page to run scripts and submit forms, add
allow-forms to the
<iframe sandbox="allow-scripts allow-forms" src="http://example.com/"></iframe>
<iframe sandbox="allow-same-origin allow-top-navigation" src="http://example.com/untrusted/comments/page2">
The parent document can add event listeners and resize the IFrame to fit its contents. This, along with
allow-top-navigation, can make the sandboxed iframe appear to be part of parent document.
This sandbox is not a replacement for sanitizing input but can be used as part of a defense in depth strategy.
Also be aware that this sandbox can be subverted by an attacker convincing a user to visit the iframe’s source directly. The Content Security Policy HTTP header can be used to mitigate this attack.