# Bad value “allow-storage-access-by-user-activation” for attribute “sandbox” on element “iframe”: The string “allow-storage-access-by-user-activation” is not a valid keyword.

> Canonical HTML version: https://rocketvalidator.com/html-validation/bad-value-allow-storage-access-by-user-activation-for-attribute-sandbox-on-element-iframe-the-string-allow-storage-access-by-user-activation-is-not-a-valid-keyword
> Attribution: Rocket Validator (https://rocketvalidator.com)
> License: CC BY 4.0 (https://creativecommons.org/licenses/by/4.0/)

The `sandbox` attribute applies a strict set of restrictions to content loaded inside an `<iframe>`. By default, sandboxed iframes cannot run scripts, submit forms, open popups, or access storage. You can selectively lift specific restrictions by adding recognized keywords like `allow-scripts`, `allow-forms`, `allow-popups`, `allow-same-origin`, and others defined in the [WHATWG HTML standard](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-sandbox).

The keyword `allow-storage-access-by-user-activation` was proposed as a way to let sandboxed iframes request access to first-party storage (such as cookies) after a user gesture. However, this keyword was never adopted into the HTML specification. The functionality it aimed to provide is now handled by the [Storage Access API](https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API), which uses `document.requestStorageAccess()` and `document.hasStorageAccess()` in JavaScript. Because the keyword was never standardized, the W3C validator correctly flags it as invalid.

## Why this matters

- **Standards compliance**: Using non-standard keywords means your HTML doesn't conform to the specification, which the validator will flag as an error.
- **Browser inconsistency**: Since this keyword was experimental and never standardized, browser support is unreliable. Some browsers may silently ignore it, while others may have briefly supported it before removing it.
- **False sense of security**: Including an unrecognized sandbox keyword doesn't actually enable the behavior you expect. The iframe won't gain storage access just because this keyword is present—the browser simply ignores unknown tokens.

## How to fix it

1. **Remove the invalid keyword** from the `sandbox` attribute.
2. **Keep any other valid sandbox keywords** that your iframe needs.
3. **Use the Storage Access API** in JavaScript within the iframe if you need cross-site storage access. The embedded page must call `document.requestStorageAccess()` in response to a user gesture, and the `sandbox` attribute must include `allow-scripts` and `allow-same-origin` for this API to work.

## Examples

### ❌ Invalid: using a non-standard sandbox keyword

```html
<iframe
  src="https://example.com/widget"
  sandbox="allow-scripts allow-same-origin allow-storage-access-by-user-activation">
</iframe>
```

### ✅ Valid: removing the non-standard keyword

```html
<iframe
  src="https://example.com/widget"
  sandbox="allow-scripts allow-same-origin">
</iframe>
```

The embedded page at `https://example.com/widget` can then use the Storage Access API in JavaScript:

```js
document.querySelector('#login-button').addEventListener('click', async () => {
  const hasAccess = await document.hasStorageAccess();
  if (!hasAccess) {
    await document.requestStorageAccess();
  }
  // Storage (cookies, etc.) is now accessible
});
```

### ✅ Valid: sandbox with other standard keywords

If your iframe doesn't need storage access at all, simply use the standard keywords you require:

```html
<iframe
  src="https://example.com/form"
  sandbox="allow-scripts allow-forms allow-popups">
</iframe>
```

Note that for `document.requestStorageAccess()` to work inside a sandboxed iframe, you must include both `allow-scripts` (so JavaScript can run) and `allow-same-origin` (so the iframe retains its origin). Without these, the Storage Access API calls will fail.