The sandbox attribute of the iframe element (new in HTML5, supported in IE10+ and all other evergreen browsers) provides web developers with a way tighten the restrictions on framed content beyond what Content Security Policy (CSP) provides for unsandboxed cross-origin iframes. With the sandbox attribute, you can instruct the browser to load a specific frame's content in a low-privilege environment, starting with the least privilege possible and then whitelisting the necessary subset of capabilities. It is also very important to note, however, that the sandbox attribute takes away some privileges from the framed content that CANNOT be whitelisted "back in". For example, any framed page running in a sandbox absolutely cannot run native plugins (e.g. Flash, Silverlight, Java, etc.). This decision was made because native plugins run unmanaged code that the browser cannot offer any further security verifications on, and are frequently sourced from third parties.