HTML Guide for sandbox

The value allow-storage-access-by-user-activation is not a valid keyword for the sandbox attribute of the iframe, as it’s still an experimental value.

The sandbox attribute enables an extra set of restrictions for the content in an iframe. You can add specific keywords to relax certain restrictions, such as allow-scripts, allow-forms, allow-popups, and others.

The experimental value allow-storage-access-by-user-activation is not yet a part of the official list of allowed keywords recognized by the W3C validator or the WHATWG HTML standard.

The sandbox attribute is used with the iframe element to isolate the content of the embedded document from the rest of the page. It helps prevent malicious code from running on your website. However, the value assigned to the sandbox attribute in your iframe element includes both the allow-scripts and allow-same-origin options. This combination essentially removes all the protections that the sandbox attribute provides and allows the embedded document to break out of the sandbox.

To fix this issue, you should remove the allow-scripts and allow-same-origin values from the sandbox attribute. Instead, you should explicitly enable only the permissions that the embedded document requires.

Here’s an example iframe element with the proper use of sandbox:

<iframe src="https://example.com" sandbox="allow-forms allow-popups"></iframe>

This iframe element loads the https://example.com URL and has its sandbox attribute set to only allow-forms and allow-popups. This explicitly enables only the permissions that the embedded document may need, while also retaining the protections of the sandbox attribute.