Frontend safety

iframe-sandbox

Require a `sandbox` attribute on `<iframe>` to constrain embedded content.

An `<iframe>` without `sandbox` inherits full ambient authority from the parent (cookies, top-level navigation, etc.). The rule fires on unsandboxed iframes; the developer picks the minimum capability set the embedded content actually needs.

Behavior

• Fixable: No.
• Suggestions: No.

Examples

Bad:

<iframe src="/embed" />

Good:

<iframe src="/embed" sandbox="allow-scripts" />

Related rules

• no-dangerous-htmlFlag `dangerouslySetInnerHTML` — the canonical XSS path on user-supplied input.
• safe-external-linksRequire `rel="noopener noreferrer"` on `<a target="_blank">`.
• aria-validationForbid invalid ARIA roles and unknown aria-* attributes.

Use it

Enable iframe-sandbox in your eslint.config.js:

import deslint from '@deslint/eslint-plugin';

export default [
  {
    plugins: { deslint },
    rules: {
      'deslint/iframe-sandbox': 'error',
    },
  },
];

Found a false positive? Report it on GitHub →

← Back to all rules