react-doctor/iframe-missing-sandbox
Add sandbox="" (or a curated, minimal set of allow- tokens) to your iframe to restrict embedded content.
- Category: Security
- Severity: warn
- Source:
oxlint-plugin-react-doctor - Framework: global
- Enabled when: always
- Documentation: https://oxc.rs/docs/guide/usage/linter/rules/react/iframe-missing-sandbox
Validation prompt
Use this to decide whether a fired diagnostic is real or a false positive.
Fires on a JSX <iframe> (or React.createElement("iframe", ...)) in three cases: no sandbox attribute at all; a sandbox string containing a token that isn't "" or a known allow-* value; or the allow-scripts + allow-same-origin pair, which together let the frame remove its own sandbox. A bare sandbox / sandbox={true} (present with no string value) passes, and document.createElement("iframe") is intentionally ignored. False positive: a dynamic value the static check can't resolve to a string literal (sandbox={computedTokens} or sandbox={someVar}) is skipped, so a real misconfiguration assembled at runtime won't be caught — and conversely a present-but-empty literal is treated as safe.
Fix prompt
Use this once validation confirms the diagnostic is real.
Add a sandbox attribute and grant only the minimal capabilities the embed needs: start from sandbox="" (fully locked down) and add allow-* tokens one at a time, e.g. <iframe sandbox="allow-forms allow-popups" />. Never combine allow-scripts with allow-same-origin for untrusted content, since the frame can then reach into its parent origin and strip the sandbox. Use only valid tokens (allow-forms, allow-scripts, allow-popups, allow-same-origin, etc.) and drop anything misspelled. See https://oxc.rs/docs/guide/usage/linter/rules/react/iframe-missing-sandbox
Related rules
More Security rules from the rules reference:
react-doctor/import-metadata-execution-risk: Evaluating imported metadata or file contents (EXIF, manifests, presets, uploads, archives) as code lets an attacker achieve remote code execution.react-doctor/insecure-crypto-risk: Weak primitives (MD5, SHA-1, DES, RC4), non-timing-safe comparisons, or `Math.random()` for security values make signatures, tokens, and passwords easier to forge or guess.react-doctor/jsx-no-target-blank: Add rel="noreferrer" (or "noopener") whenever using target="_blank".react-doctor/key-lifecycle-risk: A private key or release credential committed inline to the repo is exposed in git history and must be rotated and revoked.react-doctor/local-rpc-native-bridge-risk: A localhost or native bridge that accepts loose origins and exposes install/update or shell commands lets a malicious web page drive native actions on the user's machine.