HTML Checking for Large Sites

Rocket Validator integrates the W3C Validator HTML checker into an automated web crawler.

HTML issues tagged as sandbox.

Bad value “X” for attribute “sandbox” on element “iframe”: Setting both “allow-scripts” and “allow-same-origin” is not recommended, because it effectively enables an embedded page to break out of all sandboxing.

The sandbox attribute is used with the iframe element to isolate the content of the embedded document from the rest of the page. It helps prevent malicious code from running on your website. However, the value assigned to the sandbox attribute in your iframe element includes both the allow-scripts and allow-same-origin options. This combination essentially removes all the protections that the sandbox attribute provides and allows the embedded document to break out of the sandbox.

To fix this issue, you should remove the allow-scripts and allow-same-origin values from the sandbox attribute. Instead, you should explicitly enable only the permissions that the embedded document requires.

Here’s an example iframe element with the proper use of sandbox:

<iframe src="https://example.com" sandbox="allow-forms allow-popups"></iframe>

This iframe element loads the https://example.com URL and has its sandbox attribute set to only allow-forms and allow-popups. This explicitly enables only the permissions that the embedded document may need, while also retaining the protections of the sandbox attribute.

6,250 HTML checks per week. Fully automated.

Save time using our automated web checker. Let our crawler check your web pages on the W3C Validator.

Rocket Validator Basic
6,250 HTML checks, $18/week