Autoplay media / automatic fullscreen
Try autoplaying media with sound or taking fullscreen with requestFullscreen.
Behavior by sandbox policy
| Policy | Expected result |
|---|---|
| No sandbox | partial |
sandbox="allow-scripts" | partial |
sandbox="" (strictest) | blocked |
Embed snippet
This snippet uses the dedicated embed page. Paste it into your own service and check rendering or blocking behavior.
<iframe src="https://xss-playground.com/embed/autoplay-media?lang=en" title="XSS Playground - Autoplay media / automatic fullscreen" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Run
// no logs
Explanation
- Modern browsers generally allow only muted autoplay. Autoplay with sound requires a user gesture such as a click or tap.
- Fullscreen also requires a user gesture. Inside an iframe it may additionally require
allow="fullscreen"and compatible sandbox policy. - The standalone risk is low, but fullscreen combined with a fake login form can become a convincing deception flow.