react-doctor/iframe-missing-sandbox

Add sandbox="" (or a curated, minimal set of allow- tokens) to your iframe to restrict embedded content.

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires on a JSX <iframe> (or React.createElement("iframe", ...)) in three cases: no sandbox attribute at all; a sandbox string containing a token that isn't "" or a known allow-* value; or the allow-scripts + allow-same-origin pair, which together let the frame remove its own sandbox. A bare sandbox / sandbox={true} (present with no string value) passes, and document.createElement("iframe") is intentionally ignored. False positive: a dynamic value the static check can't resolve to a string literal (sandbox={computedTokens} or sandbox={someVar}) is skipped, so a real misconfiguration assembled at runtime won't be caught — and conversely a present-but-empty literal is treated as safe.

Fix prompt

Use this once validation confirms the diagnostic is real.

Add a sandbox attribute and grant only the minimal capabilities the embed needs: start from sandbox="" (fully locked down) and add allow-* tokens one at a time, e.g. <iframe sandbox="allow-forms allow-popups" />. Never combine allow-scripts with allow-same-origin for untrusted content, since the frame can then reach into its parent origin and strip the sandbox. Use only valid tokens (allow-forms, allow-scripts, allow-popups, allow-same-origin, etc.) and drop anything misspelled. See https://oxc.rs/docs/guide/usage/linter/rules/react/iframe-missing-sandbox

Previous pagereact-doctor/rn-style-prefer-boxshadowNext pagereact-doctor/jsx-no-target-blank