Access iframe Content in LWS

When LWS is enabled, Lightning web components can access content in iframe elements when the content is from the same origin. Lightning Locker prevents accessing iframe content even from the same origin.

Web browsers prevent access to content from a different origin. Browsers follow the same-origin policy to block cross-origin content in iframe elements. Some properties such as iframe.contentWindow.postMessage are allowed. For more about cross-origin accessible window properties, see CrossOriginProperties in the HTML spec.

LWS maintains the iframe identity across the sandbox boundary, so that checking the identity of postMessage event origin works normally.

LWS doesn’t allow iframe elements in Blob objects.

LWS restricts the src attribute for iframe elements to values that use the http:// and https:// schemes. URL schemes like javascript:// aren't allowed.