toys
PixelGamesHub
Home
Categories
For Studios
Advertise
Search games
search
Submit Game
Join Free
Home
chevron_right
Tools
chevron_right
Iframe Sandbox Tester
Iframe Sandbox Tester
See what each sandbox token actually allows or blocks
Paste an existing sandbox attribute (optional)
Apply
allow-scripts
Run JavaScript inside the iframe
Required for almost any modern game.
allow-same-origin
Treat the iframe as same-origin (cookies, localStorage, IndexedDB)
Combine with allow-scripts only if you trust the content — they together unlock everything the iframe can normally do.
allow-popups
Open new windows / tabs (target=_blank, window.open)
Some consent flows require it. Not needed for plain gameplay.
allow-popups-to-escape-sandbox
Popups opened from the iframe are NOT themselves sandboxed
Use with caution — combined with allow-popups this lets the iframe launch fully privileged windows.
allow-forms
Submit forms
Required by some consent or auth flows.
allow-pointer-lock
Capture the mouse pointer (FPS / first-person controls)
Only enable for games that explicitly use pointer-lock.
allow-modals
Show modal dialogs (alert, confirm, prompt, beforeunload)
Rarely needed; can be used to ambush the user with a confirm.
allow-presentation
Start a presentation session (e.g. cast to Chromecast)
Niche; presentation games only.
allow-downloads
Trigger downloads (a[download], window.location to a download)
Allow only when you trust the iframe — files appear in the user's downloads folder.
allow-storage-access-by-user-activation
Iframe can request first-party storage access (Storage Access API)
Newer browsers; useful for legitimate cross-site embeds.
allow-top-navigation
Iframe can navigate the top-level window (escape the embed)
Don't enable for third-party iframes — they can redirect your whole page.
allow-top-navigation-by-user-activation
Top-navigation, but only when the user clicks
Safer alternative to allow-top-navigation when a redirect is occasionally needed.
allow-orientation-lock
Lock screen orientation (mobile games)
Generally safe for landscape-only games.
Resulting attribute
sandbox="allow-scripts"
content_copy
Copy attribute