no-unsafe-iframe-sandbox

Rule category

Security.

What it does

Enforces sandbox attribute for iframe elements is not set to unsafe combinations.

Why is this bad?

If sandbox attribute is not set, the iframe content can have abilities that are not intended to be allowed.

Examples

This rule reports cases where attribute contains allow-scripts and allow-same-origin at the same time as this combination allows the embedded document to remove the sandbox attribute and bypass the restrictions.

Failing

import React from "react";
 
function Example() {
  return (
    <iframe
      src="https://example.com"
      sandbox="allow-scripts allow-same-origin"
    />
  );
}

import React from "react";
 
function Example() {
  return React.createElement("iframe", {
    src: "https://example.com",
    // @warn: Unsafe sandbox attribute
    sandbox: "allow-scripts allow-same-origin",
  });
}

Passing

import React from "react";
 
function Example() {
  return <iframe src="https://example.com" sandbox="allow-popups" />;
}

import React from "react";
 
function Example() {
  return React.createElement("iframe", {
    src: "https://example.com",
    sandbox: "allow-popups",
  });
}