SECURITY Attribute

Internet Development Index

Sets the value indicating whether the source file of a frame or iframe has specific security restrictions applied.



Possible Values

sSecureString that specifies one of the following values.
restrictedApplies security settings to frame or iframe source files.


Note  sSecure must specify the value restricted.

The SECURITY attribute applies the user's security settings of Restricted Sites to the source file of a frame or iframe. These security setting are found on the Security tab of the Internet Options dialog box found on the Tools menu. Changing these setting could have various results including scripting to be allowed.

Independent of user security settings, the SECURITY attribute effects hyperlink behaviors inside a restricted frame or iframe in the following two ways.

  • Hyperlinks render in a new browser window. This happens even when the TARGET attribute specifies hyperlinks to render within a restricted frame or a frame nested within the restricted frame. For example, clicking on a hyperlink within the iframe below causes a new browser window to open with the requested document.
    <IFRAME SECURITY="restricted" src=""></IFRAME>
  • The SECURITY attribute restricts use of the javascript, vbscript, and about protocols in URLs. For example, in a restricted frame or iframe, the source file would not be able to execute the following code.
    <A HREF="javascript:alert('Will not work in restricted FRAME or IFRAME!');">
    JavaScript Link</A>

As usual, you can access the properties and contents of a restricted frame or iframe through the Document Object Model (DOM) of the container document.

If a frame is restricted by the SECURITY attribute, all nested frames share the same restrictions.

Because SECURITY is an attribute only, it must be defined in the frame element declaration.


The following example shows how to give the user the choice of loading a document into a restricted or unrestricted iframe. Note that the createElement method is used to create the two IFRAMES. The createElement method must use an HTML string for the parameter to specify the SECURITY attribute dynamically. This is because once the iframe is parsed into the document, it cannot be altered.

var bRestShown = false;
var bUnRestShown = false;
function createIframe(){
var sContents;
if ("restricted" && bRestShown!=true){
sContents = "<IFRAME SECURITY='restricted' SRC='frameSource.htm'>"
var newIframe = document.createElement(sContents);
else if ("unrestricted" && bUnRestShown!=true){
sContents = "<IFRAME SRC='frameSource.htm'>"
var newIframe = document.createElement(sContents);
<TD><INPUT ID="restricted" TYPE="BUTTON" ONCLICK="createIframe();bRestShown=true;"
VALUE="Create Restricted IFRAME"></TD>
<TD><INPUT ID="unrestricted" TYPE="BUTTON" ONCLICK="createIframe();bUnRestShown=true;" VALUE="Create Unrestricted IFRAME"></TD>
<b>IFRAME with SECURITY="restricted"</b>
<b>IFRAME without SECURITY attribute</b>
<SPAN id="restIframe"></SPAN>
<SPAN id="unRestIframe"></SPAN>
This feature requires Microsoft® Internet Explorer 6 or later. Click the following icon to install the latest version. Then reload this page to view the sample.

Applies To