[dnag]

Just adding the sandbox attribute is enough to severely lock down an iframe.

<iframe sandbox src="http://example.com"></iframe>

[mattbierner]

Just to add some context: 'sandbox' will make the iframe load in a unique origin and also disable scripts (along with disabling bunch of other things). This will prevent these attacks.

There's also ' frame-src' for content security policies, which lets you control what is allowed in the iframe's src. Even with these guards in place, you generally should not let user content drive an iframe's src

[ChrisSD]

You'll also want the CSP `sandbox` policy on the `src` page to guard against direct linking.

[0] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co...