Seoxpert.io
Get started
mediumSecurity

Cross-Origin `<iframe>` Without `sandbox` Attribute

Cross-origin iframes without a sandbox attribute can expose your site to security risks and supply-chain attacks.

By Seoxpert Editorial · Published

Why it matters

Unsandboxed cross-origin iframes can allow third-party content to manipulate your site, potentially harming users and your site's reputation. This can lead to security breaches, user data exposure, and loss of trust, all of which negatively impact SEO and user experience.

Impact

Leaving this unresolved allows third-party iframes to execute potentially harmful actions on your site.

How it's detected

Automated crawlers scan for <iframe> elements with a src pointing to a different origin and check for the absence of a sandbox attribute.

Common causes

  • Embedding third-party widgets without reviewing security settings
  • Copy-pasting embed codes that lack sandbox attributes
  • Lack of awareness about iframe sandboxing
  • Trusting vendors without verifying their security documentation

How to fix it

Add a sandbox attribute to all cross-origin iframes, starting with sandbox="" for maximum restriction. Gradually add only the permissions needed for the iframe to function, such as allow-scripts or allow-same-origin. Audit all third-party embeds and prefer vendors who clearly document required sandbox flags.

Code examples

Problem: Unsandboxed cross-origin iframe

<iframe src="https://thirdparty.com/widget"></iframe>

Fix: Sandboxed cross-origin iframe (most restrictive)

<iframe src="https://thirdparty.com/widget" sandbox=""></iframe>

Fix: Sandboxed with minimal required permissions

<iframe src="https://thirdparty.com/widget" sandbox="allow-scripts"></iframe>

FAQ

Why is the sandbox attribute important for cross-origin iframes?

It restricts what the embedded content can do, reducing the risk of malicious actions against your site or users.

What permissions should I allow in the sandbox attribute?

Only the minimal set needed for the iframe to function, such as allow-scripts if JavaScript is required.

Can I trust third-party embeds without a sandbox?

No. Even trusted vendors can be compromised, so always use sandboxing for cross-origin iframes.

Will adding sandbox break my iframe widget?

It may if the widget relies on blocked features. Start with sandbox="" and add permissions as needed until it works.

Found this issue on your site?

Run a scan to see if Cross-Origin `<iframe>` Without `sandbox` Attribute affects your pages.

Scan my website →