Setting sandbox attribute of frame

[th174]

Is there some way to set the sandbox attribute of the iframe? Specifically, I want to prevent the child inside the iframe from being able to inject javascript inside the context of the parent.

[bluepnume]

Hi @th174.

You can do:

const MyComponent = zoid.create({
    attributes: {
        iframe: {
            sandbox: '...'
        }
    }
})

That said:

I want to prevent the child inside the iframe from being able to inject javascript inside the context of the parent

If the iframe is on a different domain, that will be impossible anyway, even without sandbox

[th174]

If the iframe is on a different domain, that will be impossible anyway, even without sandbox

That's currently how it is, however, because of some unrelated requirements, I might need to reverse proxy the iframe's domain through the parent's domain. In that case, I would need the sandbox to preserve the same separation of permissions.

[bluepnume]

Interesting. Could you reverse-proxy onto a subdomain? Otherwise the site will also have same-domain access to any of your server's urls/apis.

[th174]

I was hoping to prevent that by revoking allow-same-origin access with the sandbox attribute. Would that not be sufficient?

[bluepnume]

That would work, but what if somebody redirects to the page outside of an iframe? Using a subdomain would give an extra layer of security for cases like that.