Sandboxed links, linking from cesium to page with javascript gives 'allow-scripts' error

I am trying to figure out how to get my entities (or kmls or
any other geo footprint i might have) to open when a link is pressed.

The idea here is that one could click on a warped section on
the cesium JS map and it would open up a dialog there where you could click on
the deep zoom viewer link, popping up a new window/tab to show the warped tile
as a huge image you can scroll all around and get in really close etc. So
this is what I came up with:

(btw the deep image viewer is openseadragon)


The infobox displays content in an iframe and disables running scripts by default for security concerns. If you trust whatever scripts may be coming from your entity descriptions, you can enable scripts like this:

var iframe = document.getElementsByClassName(‘cesium-infoBox-iframe’)[0];
iframe.setAttribute(‘sandbox’, ‘allow-same-origin allow-scripts allow-popups allow-forms’);



I missed this response, just found it and it works thank you so much! I do trust the descriptions cause I am creating the entities myself and by hand. Thank you!


In which file i need to add this script code ?

is there any infobox js file ?

In my main file where i have defined cesium its not working.
For data i am using ajax...


You can add this line after you’ve created var viewer = new Cesium.Viewer();


Thanks, Hannah.
You have always been a big help.

home.php:1 Blocked script execution in ‘http://localhost/database3/user/home.php’ because the document’s frame is sandboxed and the ‘allow-scripts’ permission is not set.

dear sir these error show in my click to infobox and open new page but result are not good and show these error please help.



var viewer = new Cesium.Viewer( options );

$(’.cesium-infoBox-iframe’).attr(‘sandbox’, ‘allow-same-origin allow-scripts allow-popups allow-forms’); // if you use jQuery

document.getElementsByClassName('cesium-infoBox-iframe)[0].setAttribute(‘sandbox’, ‘allow-same-origin allow-scripts allow-popups allow-forms’); // this should work in plain JS

This doesn’t eliminate an initial error during initilaization of the info-box (Hannah?), but it will allow links in the infobox.

@Hanna, is this worth an issue? IMHO, this should be done automatically during iniitialization of the iFrame.



Hello Klaus,

Thanks for helping out with that code sample!

We made a conscious decision to not set these attributes for security purposes. Users may not always have control over the content being added to the infobox so we wanted to sandbox it to prevent malicious scripts from running automatically.