Seamless Sandboxed Iframe

This prototype demonstrates embedding untrusted content in a sandbox without allow-same-origin, while still achieving seamless height adjustment. The parent page scrolls normally—no scroll inside the iframe.

Controls

Iframe height: 0px

↑ This is parent page content ABOVE the sandbox

Sandboxed Untrusted Content

↓ This is parent page content BELOW the sandbox — it should move as iframe resizes

How It Works

The untrusted content is wrapped with a small height-reporting script before being injected. This script uses postMessage to tell the parent its height whenever content changes.

The sandbox has only allow-scripts — no allow-same-origin — so the untrusted code cannot access the parent's DOM, cookies, or storage.