Access to iframe Content in Lightning Web Security

When Lightning Web Security (LWS) is enabled, Lightning components can access content in iframe elements when the content is from the same origin. Lightning Locker prevents accessing iframe content even from the same origin.

Web browsers prevent access to content from a different origin. Browsers follow the same-origin policy to block cross-origin content in iframe elements. Some properties such as iframe.contentWindow.postMessage are allowed. For more about cross-origin accessible window properties, see CrossOriginProperties in the HTML spec.

LWS maintains the iframe identity across the sandbox boundary, so that checking the identity of postMessage event origin works normally.

LWS restricts the src attribute for iframe elements to values that use the http:// and https:// schemes. URL schemes like javascript:// aren't allowed.

LWS doesn’t allow iframe elements in Blob objects.