Access to iframe Content in Lightning Web Security
Whereas Lightning Locker blocks all iframed content, Lightning Web Security (LWS) determines access to content in iframes based on the value of the iframe's src attribute. LWS takes advantage of how browsers enforce the same-origin policy to restrict cross-origin content.
-
If you create an iframe element without an explicit
srcattribute or if you set thesrcvalue toabout:blank, then Lightning components can fully access the content in the iframe. -
If you set
srcto a value other thanabout:blank, you must use thehttp://andhttps://schemes. URL schemes such asjavascript://aren't allowed. When you set thesrcvalue to a URL, LWS automatically sets the iframe’ssandboxattribute toallow-scriptsand blocks theallow-same-origintoken. In doing so, LWS causes the browser to treat the iframe as cross-origin regardless of whether the iframe’s source is same-origin or cross-origin.
When the browser treats an iframe as cross-origin, some properties such as iframe.contentWindow.postMessage are still allowed. For more information about cross-origin accessible window properties, see CrossOriginProperties in the HTML spec and Cross-origin script API access on the MDN site.
For an example of how cross-origin restrictions work, consider a Lightning component that loads a static HTML file in an iframe element. If the HTML file contains a script that relies on direct access to the window.parent or window.top properties, then the script fails. The failure occurs because the iframe’s contentWindow property returns a Window object that's subject to the cross-origin restrictions set in the browser's same-origin policy, which includes blocking access to these properties. Instead, to communicate between the host page and iframe content, use the window.postMessage() method from the MessageEvent interface. LWS maintains the iframe identity across the sandbox boundary, so that checking the identity of postMessage event origin works normally.
LWS doesn’t allow iframe elements in Blob objects.