Will It Vibe logoWill It Vibe?
WEBSEC-009Medium severity-8 points

iframe sandbox neutralized

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

An iframe sandbox grants both allow-scripts and allow-same-origin, a combination the framed page can use to strip its own sandbox.

Why it matters

An iframe sandbox is meant to isolate untrusted embedded content. Granting both allow-scripts and allow-same-origin at once lets the framed page run script AND treat itself as same-origin, which means it can reach into the parent document and even remove its own sandbox attribute. The combination provides essentially no isolation.

How to fix it

Drop one of the two tokens. If the embedded content must run scripts, do not also give it allow-same-origin (keep it in an opaque origin). If it needs same-origin access, serve trusted content and do not treat it as sandboxed. Add only the specific capabilities the frame genuinely needs and no more.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks