Solution 1 :

Mozilla’s iframe documentation listing all available attributes for the is here:

If you look at “sandbox” there is no restriction specific to image or other includes, just restrictions on things like running JavaScript. There are no other attributes that would restrict images and includes.

To solve the problem of images and includes in your HTML you will need to filter the HTML either at the server before sending it or in the client after it arrives.


  • Before storing it into the database.
  • In the code that retrieves the HTML and returns it to the iframe.


  • Use AJAX to fill the iframe with the HTML, with code that filters a
    response. With this approach you could also use a div instead of an
    iframe if that works better for your layout.
  • If all of your users will use Chrome or Firefox, you could look at writing a browser extension

Problem :

We have a web admin panel in which the agents can see conversations with customers.

Those conversations are the result of importing normal emails thru an IMAP connection. We grab the “untouched” mailbox files and we store them in a database. Then we post-process the files to index by “from”, “to”, “date” and so on and so forth.

Up to here, okey. We can seek all the emails involved with a client and render them at will.

Then when the agent looks for a customer in the web admin panel and opens it, the full email conversation appears. And we display the HTML version of the email within an iframe (or the text version if the html version is not there). 90% of the customers send HTML.

What happens? Upon the agent opening the email in our web, the iframe loads the “full html” and renders it. This makes “remote loading” (images, sounds, styles if so, and whatever) to be downloaded. This allows customers to “track” if we opened the email by appending tracking id’s to the assets (typical

I’ve tried the “sandbox” attribute of the iframe html tag with no luck (it still downloads the images).


How can I programmatically tell the iframe to not load ANY remote content, and just render the initial HTML without any remote call?


Comment posted by Dave S

There is no attribute for iframes that disables image loading. You need to either parse and sanitize the HTML loaded from your database using script code, or write a browser extension to customize iframe behavior, or possibly use AJAX to fill the iframe and do the same HTML filtering with JavaScript in the browser.

Comment posted by Xavi Montero

I suspected that… I tried to find official documentation that supports that but I was not able. If we can find documentation stating that, place the comment as an answer with the links and I’ll accept!! Thanks.

Comment posted by Content Security Policy

Have you tried looking into

Comment posted by

For doing server-side processing this can be of use: