iframe sandbox neutralized
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
An iframe sandbox grants both allow-scripts and allow-same-origin, a combination the framed page can use to strip its own sandbox.
Why it matters
An iframe sandbox is meant to isolate untrusted embedded content. Granting both allow-scripts and allow-same-origin at once lets the framed page run script AND treat itself as same-origin, which means it can reach into the parent document and even remove its own sandbox attribute. The combination provides essentially no isolation.
How to fix it
Drop one of the two tokens. If the embedded content must run scripts, do not also give it allow-same-origin (keep it in an opaque origin). If it needs same-origin access, serve trusted content and do not treat it as sandboxed. Add only the specific capabilities the frame genuinely needs and no more.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo