function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Pratik Raut 14Pratik Raut 14 

Client Use Of Iframe Without Sandbox error - Checkmarx

Hi All,
In the code scanning, I am facing the Client Use Of Iframe Without Sandbox issue.
Scan Result:
User-added image
Can anyone please provide me any solution on this?

Thanks,
Pratik
Best Answer chosen by Pratik Raut 14
@Amit Kumar Giri@Amit Kumar Giri
@Pratik- As i suggested earlier, can u chrk whether u have below attributes in ur iframe ?

sandbox="allow-same-origin allow-scripts allow-popups allow-forms"

All Answers

@Amit Kumar Giri@Amit Kumar Giri
Code Scan suggest the fix next to error. may be you are not able to to see that due to some setting. However for this error, u need to include sandbox attributes for allowing top-level navigation in iframe which will allow ur page to open in third party. This is kind of a security impose by the site u are trying to open by iframe. Its distinct to salesforce. 
<iframe id="iframeId" src="testiframe.html" sandbox="allow-same-origin allow-scripts allow-popups allow-forms">
</iframe>

 
Pratik Raut 14Pratik Raut 14
Hi Amit,

Thanks for the reply!

Mistakenly, I put the wrong screenshot. Actually, we are using "<apex:iframe>" tag in the visualforce page.
User-added image
It would be very helpful if you could suggest any workaround on this.

Thanks,
Pratik
@Amit Kumar Giri@Amit Kumar Giri
@Pratik- As i suggested earlier, can u chrk whether u have below attributes in ur iframe ?

sandbox="allow-same-origin allow-scripts allow-popups allow-forms"
This was selected as the best answer
Pratik Raut 14Pratik Raut 14
@Amit - We are using "<apex:iframe>" tag in a Visualforce Page which does not support "sandbox" attribute. So I tried something like this -
"html-sandbox="allow-same-origin allow-scripts allow-popups allow-forms". Now, our functionality is working properly and I hope we will also pass the Security Review successfully.

Thanks a lot for your suggestion.
@Amit Kumar Giri@Amit Kumar Giri
Glad that it worked for you !!
Pratik Raut 14Pratik Raut 14
Hii,
I have used "html-sandbox="allow-same-origin allow-scripts allow-popups allow-forms" but still getting issue while a security review 
I used below code 

<apex:iframe src="{!sectionWrap.section.Inline_Api_Name_Component_Api__c}?id={!Contra ct_Vehicle__c.id}" scrolling="false" width="100%" height="{!sectionWrap.section.Height__c}" html-sandbox="allow-same-origin allow-scripts allow-popups allow-forms"/>    

It would be very helpful if you could suggest any workaround on this.
Thanks,
Pratik