Compose the sandbox attribute on an <iframe> one capability at a time. An empty sandbox blocks everything — scripts, forms, popups, top navigation, same-origin treatment, plugins. Each token below re-enables one capability. The combination allow-scripts allow-same-origin is a known escape: the framed page can remove its own sandbox by editing the parent's DOM, so avoid it for untrusted content.
Edit the inner HTML, then click Run to load it into the sandboxed iframe with the current token list. Watch the console for blocked actions.
<iframe> without the sandbox attribute has every default capability. Adding sandbox="" (no value) is the most restrictive setting.allow-scripts + allow-same-origin together let the embedded page reach into parent.document and remove the sandbox attribute itself — effectively an escape. Only use both for first-party trusted content.localStorage, indexedDB, cookies, and fetch with credentials. Without allow-same-origin, the document loads with an opaque origin.Content-Security-Policy; pair them. For srcdoc, the parent CSP applies via frame-src / child-src.allow-top-navigation-by-user-activation and allow-storage-access-by-user-activation require a real user gesture, so they're safer than the unconditional variants.