react/iframe-missing-sandbox Suspicious
What it does
Enforce sandbox attribute on iframe elements
Why is this bad?
The sandbox attribute enables an extra set of restrictions for the content in the iframe. Using sandbox attribute is considered a good security practice. To learn more about sandboxing, see MDN's documentation on the sandbox attribute.
This rule checks all React <iframe> elements and verifies that there is sandbox attribute and that it's value is valid. In addition to that it also reports cases where attribute contains allow-scripts and allow-same-origin at the same time as this combination allows the embedded document to remove the sandbox attribute and bypass the restrictions.
Examples
Examples of incorrect code for this rule:
jsx
<iframe />;
<iframe sandbox="invalid-value" />;
<iframe sandbox="allow-same-origin allow-scripts" />;Examples of correct code for this rule:
jsx
<iframe sandbox="" />;
<iframe sandbox="allow-origin" />;