diff --git a/src/helper/iframe-handler.js b/src/helper/iframe-handler.js
index c26f8ac7..7c99474c 100644
--- a/src/helper/iframe-handler.js
+++ b/src/helper/iframe-handler.js
@@ -11,6 +11,8 @@ function IframeHandler(options) {
   this._destroyTimeout = null;
   this.transientMessageEventListener = null;
   this.proxyEventListener = null;
+  this.sandbox = options.sandbox == null ?
+    'allow-same-origin allow-scripts' : options.sandbox;
   // If no event identifier specified, set default
   this.eventValidator = options.eventValidator || {
     isValid: function() {
@@ -57,6 +59,7 @@ IframeHandler.prototype.init = function() {
   _window.document.body.appendChild(this.iframe);
 
   this.iframe.src = this.url;
+  this.iframe.sandbox = this.sandbox;
 
   this.timeoutHandle = setTimeout(function() {
     _this.timeoutHandler();
diff --git a/src/web-auth/index.js b/src/web-auth/index.js
index c0ea32ba..6254c14d 100644
--- a/src/web-auth/index.js
+++ b/src/web-auth/index.js
@@ -575,6 +575,7 @@ WebAuth.prototype.validateToken = function (token, nonce, cb) {
  * @param {String} [options.postMessageOrigin] origin of redirectUri to expect postMessage response from.  Defaults to the origin of the receiving window. Only used if usePostMessage is truthy.
  * @param {String} [options.timeout] value in milliseconds used to timeout when the `/authorize` call is failing as part of the silent authentication with postmessage enabled due to a configuration.
  * @param {Boolean} [options.usePostMessage] use postMessage to comunicate between the silent callback and the SPA. When false the SDK will attempt to parse the url hash should ignore the url hash and no extra behaviour is needed
+ * @param {String} [options.sandbox] attribute values for the hidden iframe. Defaults to `allow-same-origin allow-scripts`
  * @param {authorizeCallback} cb
  * @see {@link https://auth0.com/docs/api/authentication#authorize-client}
  * @memberof WebAuth.prototype
@@ -586,6 +587,7 @@ WebAuth.prototype.renewAuth = function (options, cb) {
   var postMessageOrigin =
     options.postMessageOrigin || windowHelper.getWindow().origin;
   var timeout = options.timeout;
+  var sandbox = options.sandbox;
   var _this = this;
 
   var params = objectHelper
@@ -625,7 +627,8 @@ WebAuth.prototype.renewAuth = function (options, cb) {
     authenticationUrl: this.client.buildAuthorizeUrl(params),
     postMessageDataType: postMessageDataType,
     postMessageOrigin: postMessageOrigin,
-    timeout: timeout
+    timeout: timeout,
+    sandbox: sandbox
   });
 
   handler.login(usePostMessage, function (err, hash) {
@@ -675,6 +678,7 @@ WebAuth.prototype.renewAuth = function (options, cb) {
  * @param {String} [options.audience] identifier of the resource server who will consume the access token issued after Auth
  * @param {String} [options.timeout] value in milliseconds used to timeout when the `/authorize` call is failing as part of the silent authentication with postmessage enabled due to a configuration.
  * @param {String} [options.organization] the id or name of an organization to log in to
+ * @param {String} [options.sandbox] attribute values for the hidden iframe. Defaults to `allow-same-origin allow-scripts`
  * @param {checkSessionCallback} cb
  * @see {@link https://auth0.com/docs/libraries/auth0js/v9#using-checksession-to-acquire-new-tokens}
  * @memberof WebAuth.prototype
diff --git a/src/web-auth/silent-authentication-handler.js b/src/web-auth/silent-authentication-handler.js
index 1412eabd..a7c7840c 100644
--- a/src/web-auth/silent-authentication-handler.js
+++ b/src/web-auth/silent-authentication-handler.js
@@ -6,6 +6,7 @@ function SilentAuthenticationHandler(options) {
   this.timeout = options.timeout || 60 * 1000;
   this.handler = null;
   this.postMessageDataType = options.postMessageDataType || false;
+  this.sandbox = options.sandbox;
 
   // prefer origin from options, fallback to origin from browser, and some browsers (for example MS Edge) don't support origin; fallback to construct origin manually
   this.postMessageOrigin =
@@ -40,7 +41,8 @@ SilentAuthenticationHandler.prototype.login = function(
         '#error=timeout&error_description=Timeout+during+authentication+renew.'
       );
     },
-    usePostMessage: usePostMessage || false
+    usePostMessage: usePostMessage || false,
+    sandbox: this.sandbox
   });
 
   this.handler.init();
diff --git a/src/web-auth/web-message-handler.js b/src/web-auth/web-message-handler.js
index bafb0b99..b3b09e60 100644
--- a/src/web-auth/web-message-handler.js
+++ b/src/web-auth/web-message-handler.js
@@ -26,7 +26,8 @@ function runWebMessageFlow(authorizeUrl, options, callback) {
         error_description: 'Timeout during executing web_message communication',
         state: options.state
       });
-    }
+    },
+    sandbox: options.sandbox
   });
   handler.init();
 }
diff --git a/test/helper/iframe-handler.test.js b/test/helper/iframe-handler.test.js
index 6c9d7cd5..f18b4418 100644
--- a/test/helper/iframe-handler.test.js
+++ b/test/helper/iframe-handler.test.js
@@ -121,6 +121,20 @@ describe('helpers iframeHandler', function() {
       expect(windowHelper.getWindow().document.body);
       expect(iframe.src).to.be('my-url');
       expect(iframe.style.display).to.be('none');
+      expect(iframe.sandbox).to.be('allow-same-origin allow-scripts');
+    });
+
+    it('should create a hidden iframe with specific sandbox attributes', function () {
+      var iframe = stubWindow('load');
+      var iframeHandler = new IframeHandler({
+        url: 'my-url',
+        callback: function() {},
+        sandbox: 'allow-same-origin'
+      });
+
+      iframeHandler.init();
+
+      expect(iframe.sandbox).to.be('allow-same-origin');
     });
 
     it('should callback after a timeout', function() {
diff --git a/test/web-auth/silent-authentication-handler.test.js b/test/web-auth/silent-authentication-handler.test.js
index b981079a..f08fd7ca 100644
--- a/test/web-auth/silent-authentication-handler.test.js
+++ b/test/web-auth/silent-authentication-handler.test.js
@@ -340,5 +340,14 @@ describe('handlers silent-authentication-handler', function() {
 
       expect(sah.postMessageOrigin).to.be('https://unit-test');
     });
+
+    it('sets sandbox from parameter', function () {
+      var expectedSandbox = 'unit-test-sandbox';
+      var param = { sandbox: expectedSandbox };
+
+      var sah = new SilentAuthenticationHandler(param);
+
+      expect(sah.sandbox).to.be(expectedSandbox);
+    });
   });
 });
diff --git a/test/web-auth/web-auth.test.js b/test/web-auth/web-auth.test.js
index deed9598..598cf0e2 100644
--- a/test/web-auth/web-auth.test.js
+++ b/test/web-auth/web-auth.test.js
@@ -242,12 +242,14 @@ describe('auth0.WebAuth', function () {
         webAuth.renewAuth(options, function (err, data) { });
       });
 
-      it('should use postMessageOrigin if provided', function (done) {
+      it('should use postMessageOrigin and sandbox if provided', function (done) {
         var postMessageOrigin = 'foobar1';
+        var sandbox = 'allow-same-origin'
         sinon
           .stub(SilentAuthenticationHandler, 'create')
           .callsFake(function (options) {
             expect(options.postMessageOrigin).to.eql(postMessageOrigin);
+            expect(options.sandbox).to.eql(sandbox);
             done();
             return {
               login: function () { }
@@ -267,7 +269,8 @@ describe('auth0.WebAuth', function () {
         var options = {
           nonce: '123',
           state: '456',
-          postMessageOrigin: postMessageOrigin
+          postMessageOrigin: postMessageOrigin,
+          sandbox: sandbox
         };
 
         webAuth.renewAuth(options, function (err, data) { });