|
|
|
|
|
|
by mattbierner
2901 days ago
|
|
|
Just to add some context: 'sandbox' will make the iframe load in a unique origin and also disable scripts (along with disabling bunch of other things). This will prevent these attacks. There's also ' frame-src' for content security policies, which lets you control what is allowed in the iframe's src. Even with these guards in place, you generally should not let user content drive an iframe's src |
|
|