Can someone explain the issue behind the rule: "Sandboxed iframes with attributes ‘allow-scripts’ and ‘allow-same-origin’ are not allowed for security reasons."

juraj.masiar · February 8, 2023, 2:40pm

Thank you Tom for the analysis!

So any 3rd party page loaded into iframe can never remove the sandbox attribute, even if it’s set to “allow-same-origin allow-scripts”. Right?

So if this is not a security issue, why is it being enforced as “problem” by addon reviewers team?

I had one addon already removed from the store and a second one is now facing the same issue because of this rule.

Topic		Replies	Views
What's the point of forbidding a sandboxed iframe with allow-scripts and allow-same-origin? addons.mozilla.org	10	14627	August 29, 2024
An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing Development	5	44156	July 9, 2023
Can addons load 3rd party iframes with enabled JavaScript? Development	0	343	March 21, 2022
Iframes in extension addons.mozilla.org	7	1042	April 13, 2017
Help wanted for HTML image basics 1 skill test: what I can do by allow-same-origin Learn	2	397	February 27, 2022