Home

allowsameorigin

allowsameorigin, commonly referred to as allow-same-origin, is a token used in the HTML5 sandbox attribute. When included, it causes the sandboxed document to be treated as if it originates from the same origin as the embedding document, rather than being assigned a unique origin by the sandbox. Without this token, a sandboxed page behaves as a unique-origin document, which restricts many cross-origin interactions.

The token affects how the sandboxed content interacts with storage and scripting. With allow-same-origin, the embedded

Security and usage considerations are important. Allow-same-origin increases the surface for data leakage and cross-context interaction,

Example: <iframe src="example.html" sandbox="allow-scripts allow-same-origin"></iframe>

Support for sandbox tokens, including allow-same-origin, is provided by modern browsers, with behavior consistent with current

document
can
access
its
own
cookies,
localStorage,
IndexedDB,
and
other
origin-bound
resources
as
if
it
were
not
sandboxed,
and
can
participate
in
same-origin
interactions
with
the
parent
document
to
the
extent
permitted
by
the
surrounding
security
restrictions.
However,
the
sandbox
continues
to
constrain
certain
capabilities
(for
example,
script
execution
and
navigation)
unless
the
corresponding
tokens
are
also
present.
The
net
effect
is
a
balance
between
isolation
and
functionality:
the
sandbox
preserves
most
protections
while
enabling
standard-origin
behavior
for
the
embedded
content.
so
it
should
be
used
only
when
the
embedded
content
truly
requires
access
to
its
origin's
resources
or
needs
to
cooperate
with
the
parent
page.
When
possible,
restrict
the
iframe
with
the
smallest
set
of
allowed
tokens
and
serve
content
from
trusted
sources.
It
is
not
a
substitute
for
proper
isolation
practices,
and
developers
should
assess
the
risk
of
enabling
same-origin
behavior
in
sandboxed
contexts.
HTML5
specifications.