Bad value “allow-storage-access-by-user-activation” for attribute “sandbox” on element “iframe”: The string “allow-storage-access-by-user-activation” is not a valid keyword.

The sandbox attribute applies a strict set of restrictions to content loaded inside an <iframe>. By default, sandboxed iframes cannot run scripts, submit forms, open popups, or access storage. You can selectively lift specific restrictions by adding recognized keywords like allow-scripts, allow-forms, allow-popups, allow-same-origin, and others defined in the WHATWG HTML standard.

The keyword allow-storage-access-by-user-activation was proposed as a way to let sandboxed iframes request access to first-party storage (such as cookies) after a user gesture. However, this keyword was never adopted into the HTML specification. The functionality it aimed to provide is now handled by the Storage Access API, which uses document.requestStorageAccess() and document.hasStorageAccess() in JavaScript. Because the keyword was never standardized, the W3C validator correctly flags it as invalid.

Why this matters

• Standards compliance: Using non-standard keywords means your HTML doesn’t conform to the specification, which the validator will flag as an error.
• Browser inconsistency: Since this keyword was experimental and never standardized, browser support is unreliable. Some browsers may silently ignore it, while others may have briefly supported it before removing it.
• False sense of security: Including an unrecognized sandbox keyword doesn’t actually enable the behavior you expect. The iframe won’t gain storage access just because this keyword is present—the browser simply ignores unknown tokens.

How to fix it

1. Remove the invalid keyword from the sandbox attribute.
2. Keep any other valid sandbox keywords that your iframe needs.
3. Use the Storage Access API in JavaScript within the iframe if you need cross-site storage access. The embedded page must call document.requestStorageAccess() in response to a user gesture, and the sandbox attribute must include allow-scripts and allow-same-origin for this API to work.

Examples

❌ Invalid: using a non-standard sandbox keyword

<iframe
  src="https://example.com/widget"
  sandbox="allow-scripts allow-same-origin allow-storage-access-by-user-activation">
</iframe>

✅ Valid: removing the non-standard keyword

<iframe
  src="https://example.com/widget"
  sandbox="allow-scripts allow-same-origin">
</iframe>

The embedded page at https://example.com/widget can then use the Storage Access API in JavaScript:

document.querySelector('#login-button').addEventListener('click', async () => {
  const hasAccess = await document.hasStorageAccess();
  if (!hasAccess) {
    await document.requestStorageAccess();
  }
  // Storage (cookies, etc.) is now accessible
});

✅ Valid: sandbox with other standard keywords

If your iframe doesn’t need storage access at all, simply use the standard keywords you require:

<iframe
  src="https://example.com/form"
  sandbox="allow-scripts allow-forms allow-popups">
</iframe>

Note that for document.requestStorageAccess() to work inside a sandboxed iframe, you must include both allow-scripts (so JavaScript can run) and allow-same-origin (so the iframe retains its origin). Without these, the Storage Access API calls will fail.

Learn more:

MDN Reference

MDN Web Docs: The sandbox attribute

→

WHATWG Spec

WHATWG HTML Living Standard: The iframe element

→

caniuse.com

Can I Use allow-storage-access-by-user-activation?

→