What is the difference between srcdoc="..." and src="data:text/html,..." in an ?</a></h1> </div> <div class="grid fw-wrap pb8 mb16 bb bc-black-075"> <div class="grid--cell ws-nowrap mr16 mb8" title="2016-01-12 19:07:53Z"> <span class="fc-light mr2">Asked</span> <time itemprop="dateCreated" datetime="2013-11-02T04:40:00.090" class="fromnow">Nov 02 '13 at 04:40</time> </div> <div class="grid--cell ws-nowrap mr16 mb8"> <span class="fc-light mr2">Active</span> <time class="fromnow" title="2023-05-11T14:54:53.843" datetime="2023-05-11T14:54:53.843">May 11 '23 at 14:54</a> </div> <div class="grid--cell ws-nowrap mb8" title="Viewed 68,969 times"> <span class="fc-light mr2">Viewed</span> 6.9k times </div> </div> <div id="mainbar" role="main" aria-label="questions and answers"> <div id="question" class="question" data-questionid="19739001" data-ownerid="1529630" data-score="93"> <div class="post-layout"> <div class="votecell post-layout--left"> <div class="js-voting-container grid jc-center fd-column ai-stretch gs4 fc-black-200" data-post-id="19739001"> <button class="js-vote-up-btn grid--cell s-btn s-btnunset c-pointer"><svg aria-hidden="true" class="m0 svg-icon iconArrowUpLg" width="36" height="36" viewBox="0 0 36 36"><path d="M2 26h32L18 10 2 26z"></path></svg></button> <div class="js-vote-count grid--cell fc-black-500 fs-title grid fd-column ai-center" itemprop="upvoteCount" data-value="93">93</div> <button class="js-bookmark-btn s-btn s-btnunset c-pointer py4"> <svg aria-hidden="true" class="svg-icon iconBookmark" width="18" height="18" viewBox="0 0 18 18"><path d="M6 1a2 2 0 00-2 2v14l5-4 5 4V3a2 2 0 00-2-2H6zm3.9 3.83h2.9l-2.35 1.7.9 2.77L9 7.59l-2.35 1.7.9-2.76-2.35-1.7h2.9L9 2.06l.9 2.77z"></path></svg> <div class="js-bookmark-count mt4" data-value="0">0</div> </button> </div> </div> <div class="postcell post-layout--right"> <div class="s-prose js-post-body" itemprop="text"><p>For example, which is the difference between these:</p> <pre><code><iframe srcdoc="<p>Some HTML</p>"></iframe> <iframe src="data:text/html,<p>Some HTML</p>"></iframe> </code></pre> <p><a class="external-link" href="http://jsfiddle.net/8Wf8L/" rel="noreferrer"><strong>Demo</strong></a></p> <p>And, in case they are exactly the same, why did HTML5 add <code>srcdoc</code> attribute?</p> <p><strong>Edit</strong></p> <p>Maybe I wasn't clear enough. I am not comparing <code>src</code> with <code>srcdoc</code>, but <code>src</code> using text/html data URI with <code>srcdoc</code>.</p> <p>Then, if the functionality chart is like this</p> <pre> | src attribute | srcdoc attribute -------------------------------------------------------------------- URL | Yes | No without using src () HTML content | Yes, using data URI | Yes </pre> <p>why is <code>srcdoc</code> needed?</p> <hr/> <p><strong>() Note</strong>:</p> <p>It seems <code>srcdoc</code> can be used to load a page by URL (<a class="external-link" href="http://jsfiddle.net/8Wf8L/3/" rel="noreferrer">Demo</a>), using a subiframe with <code>src</code>attribute:</p> <pre><code><iframe srcdoc="<iframe src='http://microsoft.com'></iframe>"></iframe> </code></pre></div> <div class="mt24 mb12"> <div class="post-taglist grid gs4 gsy fd-column"> <div class="grid ps-relative"> <a href="../../questions/tagged/html" class="post-tag js-gps-track" title="show questions tagged 'html'" rel="tag">html</a> <a href="../../questions/tagged/iframe" class="post-tag js-gps-track" title="show questions tagged 'iframe'" rel="tag">iframe</a> </div> </div> </div> <div class="mb0"> <div class="mt16 grid gs8 gsy fw-wrap jc-end ai-start pt4 mb16"> <div class="grid--cell mr16 fl1 w96"></div> <div class="post-signature grid--cell"> <div class="s-user-card s-user-card"> <time class="s-user-card--time" datetime="edited Mar 21 '21 at 12:19">edited Mar 21 '21 at 12:19</time> <a href="../../users/3897775/rounin" class="s-avatar s-avatar32 s-user-card--avatar"> <img class="s-avatar--image" src="../../users/profiles/3897775.webp" data-jdenticon-width="32" data-jdenticon-height="32" data-jdenticon-value="Rounin" /> </a> <div class="s-user-card--info"> <a href="../../users/3897775/rounin" class="s-user-card--link">Rounin</a> <ul class="s-user-card--awards"> <li class="s-user-card--rep" title="reputation score">27,134</li> <li class="s-award-bling s-award-blinggold" title="9 gold badges">9</li> <li class="s-award-bling s-award-blingsilver" title="83 silver badges">83</li> <li class="s-award-bling s-award-blingbronze" title="108 bronze badges">108</li> </ul> </div> </div> </div> <div class="post-signature owner grid--cell"> <div class="s-user-card s-user-card"> <time class="s-user-card--time" datetime="asked Nov 02 '13 at 04:40">asked Nov 02 '13 at 04:40</time> <a href="../../users/1529630/oriol" class="s-avatar s-avatar32 s-user-card--avatar"> <img class="s-avatar--image" src="../../users/profiles/1529630.webp" data-jdenticon-width="32" data-jdenticon-height="32" data-jdenticon-value="Oriol" /> </a> <div class="s-user-card--info"> <a href="../../users/1529630/oriol" class="s-user-card--link">Oriol</a> <ul class="s-user-card--awards"> <li class="s-user-card--rep" title="reputation score">274,082</li> <li class="s-award-bling s-award-blinggold" title="63 gold badges">63</li> <li class="s-award-bling s-award-blingsilver" title="437 silver badges">437</li> <li class="s-award-bling s-award-blingbronze" title="513 bronze badges">513</li> </ul> </div> </div> </div> </div> </div> </div> <div class="post-layout--right js-post-comments-component"> </div> </div> </div> <div id="answers"> <a name="tab-top"></a> <div id="answers-header"> <div class="answers-subheader grid ai-center mb8"> <div class="grid--cell fl1"> <h2 class="mb0" data-answercount="9">9 Answers<span style="display:none;" itemprop="answerCount">9</span></h2> </div> </div> </div> <a name="30507852"></a> <div id="answer-30507852" class="answer " data-answerid="30507852" data-ownerid="2121349" data-score="65" itemprop="suggestedAnswer" itemscope="" itemtype="https://schema.org/Answer"> <div class="post-layout"> <div class="votecell post-layout--left"> <div class="js-voting-container grid jc-center fd-column ai-stretch gs4 fc-black-200" data-post-id="30507852"> <button class="js-vote-up-btn grid--cell s-btn s-btnunset c-pointer"><svg aria-hidden="true" class="m0 svg-icon iconArrowUpLg" width="36" height="36" viewBox="0 0 36 36"><path d="M2 26h32L18 10 2 26z"></path></svg></button> <div class="js-vote-count grid--cell fc-black-500 fs-title grid fd-column ai-center" itemprop="upvoteCount" data-value="65">65</div> </div> </div> <div class="postcell post-layout--right"> <div class="s-prose js-post-body" itemprop="text"><p>The other answers list some superficial differences, but really miss the mark of the key difference that explains <em>why</em> browsers/spec writers would essentially duplicate something that already exists:</p> <p><code><iframe src="data:...untrusted content" sandbox /></code> <- Secure in modern browsers, <strong>insecure</strong> in legacy browsers with no sandbox support</p> <p><code><iframe srcdoc="...untrusted content" sandbox /></code> <- Secure in modern browsers, <strong>secure</strong> (though non-functional) in legacy browsers</p> <p>This new syntax provides content authors a way to protect their users, even when they may be using legacy browsers. Without it, content authors would be reluctant to use the sandbox feature at all, and it would not see use.</p></div> <div class="mb0"> <div class="mt16 grid gs8 gsy fw-wrap jc-end ai-start pt4 mb16"> <div class="grid--cell mr16 fl1 w96"></div> <div class="post-signature grid--cell"> <div class="user-info "> <div class="user-action-time">edited <span title="2015-07-07T19:14:43.610" class="relativetime">Jul 07 '15 at 19:14</span></div> <div class="user-gravatar32"></div> <div class="user-details" itemprop="author" itemscope="" itemtype="http://schema.org/Person"> <span class="d-none" itemprop="name">Fabio Beltramini</span> <div class="-flair"></div> </div> </div> </div> <div class="post-signature grid--cell"> <div class="s-user-card s-user-card"> <time class="s-user-card--time" datetime="answered May 28 '15 at 13:23">answered May 28 '15 at 13:23</time> <a href="../../users/2121349/fabio-beltramini" class="s-avatar s-avatar32 s-user-card--avatar"> <img class="s-avatar--image" src="../../users/profiles/2121349.webp" data-jdenticon-width="32" data-jdenticon-height="32" data-jdenticon-value="Fabio Beltramini" /> </a> <div class="s-user-card--info"> <a href="../../users/2121349/fabio-beltramini" class="s-user-card--link">Fabio Beltramini</a> <ul class="s-user-card--awards"> <li class="s-user-card--rep" title="reputation score">2,441</li> <li class="s-award-bling s-award-blinggold" title="1 gold badge">1</li> <li class="s-award-bling s-award-blingsilver" title="16 silver badge">16</li> <li class="s-award-bling s-award-bling__bronze" title="25 bronze badge">25</li> </ul> </div> </div> </div> </div> </div> </div> <div class="post-layout--right js-post-comments-component"> <div id="comments-30507852" class="comments js-comments-container bt bc-black-075 mt12 " data-post-id="30507852" data-min-length="15"> <ul class="comments-list js-comments-list" data-remaining-comments-count="0" data-canpost="false" data-cansee="true" data-comments-unavailable="false" data-addlink-disabled="true"> <li id="comment-56097439" class="comment js-comment " data-comment-id="56097439" data-comment-owner-id="239657" data-comment-score="0"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment56097439_30507852"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">If the main benefit is untrusted content, why spec it to contain the content inline — doesn't most untrusted content come from external URLs? I.e. why not `sandboxedsrc` attribute that takes a [data] URI? (It'd also avoid some future browser from implementing srcdoc without implementing sandbox).</span> – <a href="../../users/239657/beni-cherniavsky-paskin" title="9,483 reputation" class="comment-user ">Beni Cherniavsky-Paskin</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/19739001/what-is-the-difference-between-srcdoc-and-src-data-text-html-in-an-iframe#comment56097439_30507852"><span title="2015-12-09T09:38:42.527 License: CC BY-SA 3.0" class="relativetime-clean">Dec 09 '15 at 09:38</span></a></span> </div> </div> </li> <li id="comment-56161261" class="comment js-comment " data-comment-id="56161261" data-comment-owner-id="2121349" data-comment-score="1"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> <span title="number of 'useful comment' votes received" class="warm">1</span> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment56161261_30507852"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">Because authors can already use external urls (on a separate domain) to serve untrusted content.</span> – <a href="../../users/2121349/fabio-beltramini" title="2,441 reputation" class="comment-user ">Fabio Beltramini</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/19739001/what-is-the-difference-between-srcdoc-and-src-data-text-html-in-an-iframe#comment56161261_30507852"><span title="2015-12-10T17:45:45.953 License: CC BY-SA 3.0" class="relativetime-clean">Dec 10 '15 at 17:45</span></a></span> </div> </div> </li> <li id="comment-100205467" class="comment js-comment " data-comment-id="100205467" data-comment-owner-id="467460" data-comment-score="0"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment100205467_30507852"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">What do you mean by secure? It can’t access the embedding page? The embedding paye can’t access it? Or both? Or what</span> – <a href="../../users/467460/gregory-magarshak" title="1,883 reputation" class="comment-user ">Gregory Magarshak</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/19739001/what-is-the-difference-between-srcdoc-and-src-data-text-html-in-an-iframe#comment100205467_30507852"><span title="2019-06-30T16:59:08.403 License: CC BY-SA 4.0" class="relativetime-clean">Jun 30 '19 at 16:59</span></a></span> </div> </div> </li> <li id="comment-100205502" class="comment js-comment " data-comment-id="100205502" data-comment-owner-id="467460" data-comment-score="0"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment100205502_30507852"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">Otherwise What is the point of this over a regular div or HTML component</span> – <a href="../../users/467460/gregory-magarshak" title="1,883 reputation" class="comment-user ">Gregory Magarshak</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/19739001/what-is-the-difference-between-srcdoc-and-src-data-text-html-in-an-iframe#comment100205502_30507852"><span title="2019-06-30T17:01:08.453 License: CC BY-SA 4.0" class="relativetime-clean">Jun 30 '19 at 17:01</span></a></span> </div> </div> </li> <li id="comment-100231870" class="comment js-comment " data-comment-id="100231870" data-comment-owner-id="2121349" data-comment-score="0"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment100231870_30507852"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">Any article on iframe's "sandbox" will discuss what benefits it provides</span> – <a href="../../users/2121349/fabio-beltramini" title="2,441 reputation" class="comment-user ">Fabio Beltramini</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/19739001/what-is-the-difference-between-srcdoc-and-src-data-text-html-in-an-iframe#comment100231870_30507852"><span title="2019-07-01T17:14:45.897 License: CC BY-SA 4.0" class="relativetime-clean">Jul 01 '19 at 17:14</span></a></span> </div> </div> </li> </ul> </div> </div> </div> </div> <a name="41800811"></a> <div id="answer-41800811" class="answer " data-answerid="41800811" data-ownerid="2168255" data-score="23" itemprop="suggestedAnswer" itemscope="" itemtype="https://schema.org/Answer"> <div class="post-layout"> <div class="votecell post-layout--left"> <div class="js-voting-container grid jc-center fd-column ai-stretch gs4 fc-black-200" data-post-id="41800811"> <button class="js-vote-up-btn grid--cell s-btn s-btn__unset c-pointer"><svg aria-hidden="true" class="m0 svg-icon iconArrowUpLg" width="36" height="36" viewBox="0 0 36 36"><path d="M2 26h32L18 10 2 26z"></path></svg></button> <div class="js-vote-count grid--cell fc-black-500 fs-title grid fd-column ai-center" itemprop="upvoteCount" data-value="23">23</div> </div> </div> <div class="postcell post-layout--right"> <div class="s-prose js-post-body" itemprop="text"><p>iframe with <code>src</code> attribute with HTML Content <strong>is cross domain</strong>. This is true even with <a class="external-link" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URLs" rel="nofollow noreferrer">data URLs</a> as mentioned <a class="external-link" href="https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy" rel="nofollow noreferrer">here</a></p> <blockquote> <p><code>data:</code> URLs get a <strong>new</strong>, empty, security context.</p> </blockquote> <p>But iframe with <code>srcdoc</code> attribute with HTML Content is <strong>not cross domain</strong>.</p> <p>So using the <code>src</code> attribute might <strong>cause errors</strong> if you try to access/manipulate the iframe from the parent page:</p> <blockquote> <p>Blocked a frame with origin "..." from accessing a cross-origin frame.</p> </blockquote></div> <div class="mb0"> <div class="mt16 grid gs8 gsy fw-wrap jc-end ai-start pt4 mb16"> <div class="grid--cell mr16 fl1 w96"></div> <div class="post-signature grid--cell"> <div class="s-user-card s-user-card"> <time class="s-user-card--time" datetime="edited Apr 14 '23 at 22:26">edited Apr 14 '23 at 22:26</time> <a href="../../users/1175496/nate-anderson" class="s-avatar s-avatar32 s-user-card--avatar"> <img class="s-avatar--image" src="../../users/profiles/1175496.webp" data-jdenticon-width="32" data-jdenticon-height="32" data-jdenticon-value="Nate Anderson" /> </a> <div class="s-user-card--info"> <a href="../../users/1175496/nate-anderson" class="s-user-card--link">Nate Anderson</a> <ul class="s-user-card--awards"> <li class="s-user-card--rep" title="reputation score">18,334</li> <li class="s-award-bling s-award-blinggold" title="18 gold badges">18</li> <li class="s-award-bling s-award-blingsilver" title="100 silver badges">100</li> <li class="s-award-bling s-award-blingbronze" title="135 bronze badges">135</li> </ul> </div> </div> </div> <div class="post-signature grid--cell"> <div class="s-user-card s-user-card"> <time class="s-user-card--time" datetime="answered Jan 23 '17 at 07:00">answered Jan 23 '17 at 07:00</time> <a href="../../users/2168255/devin-zhang" class="s-avatar s-avatar32 s-user-card--avatar"> <img class="s-avatar--image" src="../../users/profiles/2168255.webp" data-jdenticon-width="32" data-jdenticon-height="32" data-jdenticon-value="Devin Zhang" /> </a> <div class="s-user-card--info"> <a href="../../users/2168255/devin-zhang" class="s-user-card--link">Devin Zhang</a> <ul class="s-user-card--awards"> <li class="s-user-card--rep" title="reputation score">349</li> <li class="s-award-bling s-award-blingsilver" title="2 silver badges">2</li> <li class="s-award-bling s-award-bling__bronze" title="7 bronze badges">7</li> </ul> </div> </div> </div> </div> </div> </div> <div class="post-layout--right js-post-comments-component"> <div id="comments-41800811" class="comments js-comments-container bt bc-black-075 mt12 " data-post-id="41800811" data-min-length="15"> <ul class="comments-list js-comments-list" data-remaining-comments-count="0" data-canpost="false" data-cansee="true" data-comments-unavailable="false" data-addlink-disabled="true"> <li id="comment-70808833" class="comment js-comment " data-comment-id="70808833" data-comment-owner-id="1529630" data-comment-score="3"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> <span title="number of 'useful comment' votes received" class="warm">3</span> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment70808833_41800811"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">That's a good point, Chrome treats data URIs as cross domain. Firefox treats them as same origin, not sure what Edge does.</span> – <a href="../../users/1529630/oriol" title="274,082 reputation" class="comment-user owner">Oriol</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/19739001/what-is-the-difference-between-srcdoc-and-src-data-text-html-in-an-iframe#comment70808833_41800811"><span title="2017-01-23T15:59:24.740 License: CC BY-SA 3.0" class="relativetime-clean">Jan 23 '17 at 15:59</span></a></span> </div> </div> </li> <li id="comment-100205382" class="comment js-comment " data-comment-id="100205382" data-comment-owner-id="467460" data-comment-score="2"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> <span title="number of 'useful comment' votes received" class="warm">2</span> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment100205382_41800811"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">What do you mean by “not cross domain”?</span> – <a href="../../users/467460/gregory-magarshak" title="1,883 reputation" class="comment-user ">Gregory Magarshak</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/19739001/what-is-the-difference-between-srcdoc-and-src-data-text-html-in-an-iframe#comment100205382_41800811"><span title="2019-06-30T16:52:39.740 License: CC BY-SA 4.0" class="relativetime-clean">Jun 30 '19 at 16:52</span></a></span> </div> </div> </li> <li id="comment-107998905" class="comment js-comment " data-comment-id="107998905" data-comment-owner-id="209942" data-comment-score="2"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> <span title="number of 'useful comment' votes received" class="warm">2</span> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment107998905_41800811"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">@GregoryMagarshak "Not cross-domain", meaning the iframe content will be treated as coming from same domain as the parent-page. Thus, it won't be restricted by browser same-origin policy, which normally prevents browser from accessing content of the remote page, as it would be when you use src='some-url.com'. https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy</span> – <a href="../../users/209942/johny-why" title="2,047 reputation" class="comment-user ">johny why</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/19739001/what-is-the-difference-between-srcdoc-and-src-data-text-html-in-an-iframe#comment107998905_41800811"><span title="2020-04-05T17:21:58.257 License: CC BY-SA 4.0" class="relativetime-clean">Apr 05 '20 at 17:21</span></a></span> </div> </div> </li> </ul> </div> </div> </div> </div> <a name="19739077"></a> <div id="answer-19739077" class="answer " data-answerid="19739077" data-ownerid="1542290" data-score="22" itemprop="suggestedAnswer" itemscope="" itemtype="https://schema.org/Answer"> <div class="post-layout"> <div class="votecell post-layout--left"> <div class="js-voting-container grid jc-center fd-column ai-stretch gs4 fc-black-200" data-post-id="19739077"> <button class="js-vote-up-btn grid--cell s-btn s-btn__unset c-pointer"><svg aria-hidden="true" class="m0 svg-icon iconArrowUpLg" width="36" height="36" viewBox="0 0 36 36"><path d="M2 26h32L18 10 2 26z"></path></svg></button> <div class="js-vote-count grid--cell fc-black-500 fs-title grid fd-column ai-center" itemprop="upvoteCount" data-value="22">22</div> </div> </div> <div class="postcell post-layout--right"> <div class="s-prose js-post-body" itemprop="text"><p>From <a class="external-link" href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#srcdoc" rel="nofollow noreferrer">MDN documentation on the <code>srcdoc</code> attribute</a> :</p> <blockquote> <p><strong>Inline HTML</strong> to embed, <strong>overriding the <code>src</code> attribute</strong>. If a browser does not support the <code>srcdoc</code> attribute, it will <strong>fall back to the URL in the <code>src</code> attribute.</strong></p> </blockquote> <p><a class="external-link" href="https://web.archive.org/web/20131003004733/https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe" rel="nofollow noreferrer">Older MDN documentation</a> on <code>srcdoc</code> says:</p> <blockquote> <p>The <strong>content</strong> of the page that the embedded context is to contain. This attribute is expected to be used together with the <code>sandbox</code> and <code>seamless</code> attributes.</p> </blockquote> <p><strong>So, the <code>srcdoc</code> attribute overrides the content embedded using <code>src</code> attribute.</strong></p> <p><a class="external-link" href="http://jsfiddle.net/JWeeh/" rel="nofollow noreferrer"><strong>Demo</strong></a></p> <p>(Note: The <a href="../../a/5632609#5632609"><code>seamless</code> attribute has since been removed</a>, and <a href="../../a/30507852#30507852">another answer</a> describes how <code>sandbox</code> attribute <strong>should be "used with the <code>srcdoc</code> attribute"</strong>; both attributes were introduced in HTML5; <code>sandbox</code> should be used in case the <code>srcdoc</code> <strong>contains untrusted content</strong>.</p> <hr/> <p>Also, what you are saying about the following snippet <code>data:text/html</code> is called <a class="external-link" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URLs" rel="nofollow noreferrer">data URL</a> and <strong>it might have length limitations, so <code>src</code> is limited in what it can show, whereas <code>srcdoc</code> is less limited.</strong></p> <p>MSDN mentions <a class="external-link" href="http://msdn.microsoft.com/en-us/library/cc848897%28VS.85%29.aspx" rel="nofollow noreferrer">length limitations</a>:</p> <blockquote> <p>Data URIs cannot be larger than 32,768 characters.</p> </blockquote> <p>But other browsers might have <a class="external-link" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URLs#length_limitations" rel="nofollow noreferrer">different data URL length limits (higher limits) on data URLs themselves</a> (see Chromium might allow 512 URLs), but <a href="../../a/41755526#41755526">still not allow URLs to exceed 2MB</a></p></div> <div class="mb0"> <div class="mt16 grid gs8 gsy fw-wrap jc-end ai-start pt4 mb16"> <div class="grid--cell mr16 fl1 w96"></div> <div class="post-signature grid--cell"> <div class="s-user-card s-user-card"> <time class="s-user-card--time" datetime="edited Apr 14 '23 at 22:45">edited Apr 14 '23 at 22:45</time> <a href="../../users/1175496/nate-anderson" class="s-avatar s-avatar32 s-user-card--avatar"> <img class="s-avatar--image" src="../../users/profiles/1175496.webp" data-jdenticon-width="32" data-jdenticon-height="32" data-jdenticon-value="Nate Anderson" /> </a> <div class="s-user-card--info"> <a href="../../users/1175496/nate-anderson" class="s-user-card--link">Nate Anderson</a> <ul class="s-user-card--awards"> <li class="s-user-card--rep" title="reputation score">18,334</li> <li class="s-award-bling s-award-blinggold" title="18 gold badges">18</li> <li class="s-award-bling s-award-blingsilver" title="100 silver badges">100</li> <li class="s-award-bling s-award-blingbronze" title="135 bronze badges">135</li> </ul> </div> </div> </div> <div class="post-signature grid--cell"> <div class="s-user-card s-user-card"> <time class="s-user-card--time" datetime="answered Nov 02 '13 at 04:53">answered Nov 02 '13 at 04:53</time> <a href="../../users/1542290/mr-alien" class="s-avatar s-avatar32 s-user-card--avatar"> <img class="s-avatar--image" src="../../users/profiles/1542290.webp" data-jdenticon-width="32" data-jdenticon-height="32" data-jdenticon-value="Mr. Alien" /> </a> <div class="s-user-card--info"> <a href="../../users/1542290/mr-alien" class="s-user-card--link">Mr. Alien</a> <ul class="s-user-card--awards"> <li class="s-user-card--rep" title="reputation score">153,751</li> <li class="s-award-bling s-award-blinggold" title="34 gold badges">34</li> <li class="s-award-bling s-award-blingsilver" title="298 silver badges">298</li> <li class="s-award-bling s-award-blingbronze" title="278 bronze badges">278</li> </ul> </div> </div> </div> </div> </div> </div> <div class="post-layout--right js-post-comments-component"> <div id="comments-19739077" class="comments js-comments-container bt bc-black-075 mt12 " data-post-id="19739077" data-min-length="15"> <ul class="comments-list js-comments-list" data-remaining-comments-count="0" data-canpost="false" data-cansee="true" data-comments-unavailable="false" data-addlink-disabled="true"> <li id="comment-29336934" class="comment js-comment " data-comment-id="29336934" data-comment-owner-id="258127" data-comment-score="0"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment29336934_19739077"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">"So, the `srcdoc` attribute overrides the content embedded using `src` attribute." Apparently not in Firefox 24, I see two IFrames with Microsoft's website in it.</span> – <a href="../../users/258127/marcel-korpel" title="21,536 reputation" class="comment-user ">Marcel Korpel</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/19739001/what-is-the-difference-between-srcdoc-and-src-data-text-html-in-an-iframe#comment29336934_19739077"><span title="2013-11-02T15:49:16.977 License: CC BY-SA 3.0" class="relativetime-clean">Nov 02 '13 at 15:49</span></a></span> </div> </div> </li> <li id="comment-29336975" class="comment js-comment " data-comment-id="29336975" data-comment-owner-id="1529630" data-comment-score="0"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment29336975_19739077"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">@MarcelKorpel The first version of Firefox which supports `srcdoc` is 25 (https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#Browser_compatibility)</span> – <a href="../../users/1529630/oriol" title="274,082 reputation" class="comment-user owner">Oriol</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/19739001/what-is-the-difference-between-srcdoc-and-src-data-text-html-in-an-iframe#comment29336975_19739077"><span title="2013-11-02T15:51:27.527 License: CC BY-SA 3.0" class="relativetime-clean">Nov 02 '13 at 15:51</span></a></span> </div> </div> </li> <li id="comment-29337071" class="comment js-comment " data-comment-id="29337071" data-comment-owner-id="1529630" data-comment-score="2"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> <span title="number of 'useful comment' votes received" class="warm">2</span> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment29337071_19739077"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">@MrAlien Good point about the length limitation of data URIs, unlike html attributes which [have no limit](http://stackoverflow.com/questions/1496096/is-there-a-limit-to-the-length-of-html-attributes). Anyway, it seems that limit is imposed by Microsoft implementation, because [MDN](https://developer.mozilla.org/en-US/docs/data_URIs) don't say anything about a limit, and the [RFC standard](http://tools.ietf.org/html/rfc2397) only says "Note that some applications that use URLs may impose a length limit"</span> – <a href="../../users/1529630/oriol" title="274,082 reputation" class="comment-user owner">Oriol</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/19739001/what-is-the-difference-between-srcdoc-and-src-data-text-html-in-an-iframe#comment29337071_19739077"><span title="2013-11-02T15:57:52.683 License: CC BY-SA 3.0" class="relativetime-clean">Nov 02 '13 at 15:57</span></a></span> </div> </div> </li> <li id="comment-29337587" class="comment js-comment " data-comment-id="29337587" data-comment-owner-id="1542290" data-comment-score="0"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment29337587_19739077"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">@MarcelKorpel take aalook at seamless attribute and other newer html5 attributes and you will get why you need srcdoc</span> – <a href="../../users/1542290/mr-alien" title="153,751 reputation" class="comment-user ">Mr. Alien</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/19739001/what-is-the-difference-between-srcdoc-and-src-data-text-html-in-an-iframe#comment29337587_19739077"><span title="2013-11-02T16:27:43.103 License: CC BY-SA 3.0" class="relativetime-clean">Nov 02 '13 at 16:27</span></a></span> </div> </div> </li> <li id="comment-29337604" class="comment js-comment " data-comment-id="29337604" data-comment-owner-id="1542290" data-comment-score="0"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment29337604_19739077"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">@Oriol thank you and yes, mdn doesn't specify any limits but aamsure uri do have limits</span> – <a href="../../users/1542290/mr-alien" title="153,751 reputation" class="comment-user ">Mr. Alien</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/19739001/what-is-the-difference-between-srcdoc-and-src-data-text-html-in-an-iframe#comment29337604_19739077"><span title="2013-11-02T16:28:57.077 License: CC BY-SA 3.0" class="relativetime-clean">Nov 02 '13 at 16:28</span></a></span> </div> </div> </li> <li id="comment-39595779" class="comment js-comment " data-comment-id="39595779" data-comment-owner-id="1559857" data-comment-score="0"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment39595779_19739077"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">@Mr.Alien Regarding your last comment: Can you put the why in your answer? I'm updating my knowledge of html5 now and have read the html5 attributes associated with <iframe>; But the necessity of srcdoc hasn't become clear to me. PS: I came across this answer during my research, so any indication of how the other html5 attributes merit the existence of srcdoc, is welcome. – dot slash hack Aug 19 '14 at 16:32

Question

As of writing - srcdoc in Chrome (v36) allows the setting and fetching of cookies, whereas the use of src with data URL does not:

Uncaught SecurityError: Failed to read the 'cookie' property from 'Document': Cookies are disabled inside 'data:' URLs

This may or may not be important to you, but rules out the use of data URLs in the application I am building, which is a shame, as of course IE doesn't support srcdoc currently (v11).

score 15 · Answer 1 · answered Jul 30 '14 at 03:52

15

As of writing - srcdoc in Chrome (v36) allows the setting and fetching of cookies, whereas the use of src with data URL does not:

Uncaught SecurityError: Failed to read the 'cookie' property from 'Document': Cookies are disabled inside 'data:' URLs

This may or may not be important to you, but rules out the use of data URLs in the application I am building, which is a shame, as of course IE doesn't support srcdoc currently (v11).

answered Jul 30 '14 at 03:52

wombling - Chris Paine

1,651
1
18
17

1

Good point. Data URIs have limitations on some browsers, so `srcdoc` works better in those cases. – Oriol Aug 02 '14 at 22:04
In Chromium 81 parent frame background and font styles also cascade into the iframe, adding even more utility. – vhs May 06 '20 at 15:32

score 9 · Answer 2 · answered Nov 04 '16 at 11:29

9

Another noticeable difference is that src attributes with data-uri support URI percent-encoding rules while srcdoc doesn't as it supports regular html syntax,

these sources will yield differently:

<iframe srcdoc="<p>hello%20world</p><h1>give%0D%0Ame%0D%0Asome%24</h1>"></iframe>

<iframe src="data:text/html;charset=UTF-8,<p>hello%20datauri<p><h1>give%0D%0A me%0D%0Asome%24</h1>"></iframe>

I also noticed a difference in the parsing of js scripts inside the attributes value( it's probably more than just percentage-encoding ) but didn't figure the rule yet...

answered Nov 04 '16 at 11:29

maioman

18,154
4
36
42

1

The content of `src` has to be URL-encoded to be treated correctly. See [this question](https://stackoverflow.com/questions/9238890/convert-html-to-datatext-html-link-using-javascript) for details on how to do that. – user Jul 09 '17 at 19:15
I didn't have much luck URI encoding attribute values on larger textfiles. What worked for me was to sanitize input using recode(1) in bash beforehand. – vhs May 06 '20 at 15:36

Nate Anderson · Answer 3 · 2023-05-11T14:54:53.843

Another difference is how links to fragments inside the iframe HTML work. Let's say your HTML content has a link/<a> pointing to a document fragment/hash/id somewhere in the same page, like this:

<a href="#in_src"></a>

<!-- lots of other content, requiring scrolling -->

<p id="in_src"></p>

If you use the src attribute, (example on jsfiddle, or jsbin) the same link will scroll/jump you to the relevant fragment (as I expected).
If you use the srcdoc attribute, (example on jsfiddle, or jsbin) a fragment link like the above will try to re-navigate the entire iframe to a whole new page, (based on the parent page's context? I'm not sure, but it's not what I expected)

Maybe this is because of the difference in domains in srcdoc vs src? Maybe the difference in their baseURI values (see more below?). I'm not sure

I tested this on Chrome Version 111.0.5563.149 (Official Build) (64-bit)

EDIT

I wanted to the link to scroll/jump to the document fragment, even with a srcdoc attribute. So in this example I used Javascript to...

addEventListener() for the click event
event.preventDefault() (to prevent the anchor's iframe-resetting behavior)
and use location.hash= '#in_src'; to manually jump to the doc fragment.

Note that the values of e.target.attributes.href.value and e.target.href do not necessarily have the same value (i.e. the value of the fragment ''#in_src'`)

The attributes.href.value is the literal string value of the href attribute, like '#in_src'
But the href property of the HTMLAnchorElement API has a "a string [value] containing the whole URL"
- in the case of srcdoc, the href value is something like 'https://...#i01' (the baseURI value is the parent's URL (iframeWindow.parent.document.baseURI), and maybe that's why clicking the link will navigate the whole iframe)
- in the case of src using a data URI, the href value is something like 'data:text/html,...#i01, (the baseURI value is the data URI, and will jump to the fragment instead of navigating the hwole page)

score -1 · Answer 4 · answered Nov 02 '13 at 04:53

-1

In your example the two forms are functionally identical. However, you can use both src and srcdoc attributes, allowing non-HTML5 browsers to use the src version, while HTML5 browsers can use the srcdoc version along with the sandbox and seamless attributes which offer more flexibility in how an iFrame is treated.

answered Nov 02 '13 at 04:53

But `sandbox` and `seamless` attributes can be used too with `src` attribute, can't they? It seems to me that it's `src` which is more flexible than `srcdoc` – Oriol Nov 02 '13 at 16:00
@Oriol, I think my answer goes directly to why this is important, not as a flaw, but as a feature – Fabio Beltramini Jul 07 '15 at 19:19

score -4 · Answer 5 · edited Aug 28 '14 at 14:33

-4

The main difference is that the 'src' attribute contains the address of the document you are going to embed in the tag.

On the other hand 'srcdoc'attribute contains the HTML content of the page to show in the inline frame.

the main disadvantage of srcdoc is that it is not supported in all browsers whereas src is compatible with all the browsers.

for detailed explanation please go through the following link: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe

edited Aug 28 '14 at 14:33

Phillip Senn

46,771
90
257
373

answered Nov 02 '13 at 04:51

R R

2,999
2
24
42

9

But `src` attribute can contain the HTML content of the page too, using data URIs – Oriol Nov 02 '13 at 15:45

score -4 · Answer 6 · answered Nov 02 '13 at 05:35

-4

srcdoc: The content of the page that the embedded context is to contain. This attribute is expected to be used together with the sandbox and seamless attributes. If a browser supports the srcdoc attribute, it will override the content specified in the src attribute (if present). If a browser does NOT support the srcdoc attribute, it will show the file specified in the src attribute instead (if present).

src: The URL of the page to embed.

answered Nov 02 '13 at 05:35

saransh sharma

1

9

But `src` attribute can contain the HTML content of the page too, using data URIs – Oriol Nov 02 '13 at 16:01

Linked