From 1abd7a0dfe2dadbc0421a375d3433241c7f6e3c1 Mon Sep 17 00:00:00 2001 From: Jonathan Blair Date: Tue, 19 Dec 2023 17:39:51 -0500 Subject: [PATCH] Update index.md --- files/en-us/web/html/element/iframe/index.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/files/en-us/web/html/element/iframe/index.md b/files/en-us/web/html/element/iframe/index.md index 893a018ec088127d..f04ef993f4e098d8 100644 --- a/files/en-us/web/html/element/iframe/index.md +++ b/files/en-us/web/html/element/iframe/index.md @@ -124,7 +124,10 @@ This element includes the [global attributes](/en-US/docs/Web/HTML/Global_attrib > > - When the embedded document has the same origin as the embedding page, it is **strongly discouraged** to use both `allow-scripts` and `allow-same-origin`, as that lets the embedded document remove the `sandbox` attribute — making it no more secure than not using the `sandbox` attribute at all. > - Sandboxing is useless if the attacker can display content outside a sandboxed `iframe` — such as if the viewer opens the frame in a new tab. Such content should be also served from a _separate origin_ to limit potential damage. - > - When opening a link from an embedded page with the `sandbox` attribute, the Auxiliary Window is restricted to the same `sandbox` values unless `allow-popups-to-escape-sanbox` is included. + + > **Note:** + > + > - When opening a link from an embedded page with the `sandbox` attribute, the Auxiliary Window is restricted to the same `sandbox` values unless `allow-popups-to-escape-sandbox` is included. - `src`