Anchor targets
Links are prewired to attempt navigation. Results log updates on click.
Open _top Open _parent Open _self Open _blank
idle idle idle idle
Environment & Sandbox Introspection
- document.referrer
- document.domain
- document.origin
- frameElement sandbox
- top !== window
How to Use This Page
Run the tests in a normal tab, then in sandboxed iframes to see which capabilities flip between success and blocked.
- Open this page directly to capture baseline results.
- Embed it in an iframe with sandbox flags and compare the results log.
- Adjust the sandbox flags to see which APIs become available or blocked.
If a test turns green, a remediation note appears under that section to show how to block it.
Example iframe variants:
<iframe src="iframe-sandbox-test-suite.html"></iframe><iframe src="iframe-sandbox-test-suite.html" sandbox></iframe><iframe src="iframe-sandbox-test-suite.html" sandbox="allow-scripts allow-forms"></iframe><iframe src="iframe-sandbox-test-suite.html" sandbox="allow-scripts allow-same-origin"></iframe>Common toggles:
- allow-scripts enables inline and dynamic scripts.
- allow-forms enables form submissions.
- allow-popups affects window.open.
- allow-top-navigation affects top-frame navigation attempts.
- allow-same-origin controls access to storage and top-frame reads.
Navigation Escape
If blocked and you expect navigation to work, add allow-top-navigation-by-user-activation (or allow-top-navigation) and allow-scripts for scripted redirects.
Location assignments
idle idle idle
History API
idle idle
Window Creation & Popups
If blocked and you expect popups, add allow-popups (and allow-popups-to-escape-sandbox if needed).
window.open targets
idle idle idle
noopener / noreferrer
idle idle
Form Submission
If blocked and you expect form submissions, add allow-forms.
Submitting with target _top/_parent/_self may navigate away from this page.
POST to example.com (dummy)
Storage & Origin Access
If blocked and you expect storage, add allow-same-origin and keep the frame on the same origin as the host.
document.cookie read/write
idle idle
localStorage / sessionStorage
idle idle
indexedDB open
idle
JavaScript Capabilities
If blocked and you expect scripts, add allow-scripts and relax CSP for inline, data:, or 'unsafe-eval' as needed.
Inline script check
idle
External script via data URL
idle
eval and Function constructor
idle idle
alert / confirm / prompt
idle idle idle
Top-frame Access Checks
If blocked and you expect top-frame access, keep the frame same-origin and add allow-same-origin. Otherwise use postMessage with origin checks.
Read top.location.href
idle idle
Pointer & Focus
If blocked and you expect pointer lock, add allow-pointer-lock and ensure a user gesture.
Focus / Pointer Lock
idle idle
Downloads
If blocked and you expect downloads, add allow-downloads (or allow-downloads-without-user-activation).
Trigger download link
idle
Clipboard
If blocked and you expect clipboard access, add allow="clipboard-read; clipboard-write" on the iframe and require a user gesture.
Read / write
idle idle
Fullscreen
If blocked and you expect fullscreen, add allow-fullscreen and require a user gesture.
documentElement.requestFullscreen
idle
Permissions & APIs
If blocked and you expect access, add iframe allow permissions (for example: geolocation; microphone; camera) and configure Permissions-Policy.
Geolocation
idle
Notifications
idle
MediaDevices
idle