🔧 This rule is automatically fixable by the --fix CLI option.
Omitting the src attribute from an <iframe> element can silently bypass your Content Security Policy's frame-src directive.
When an <iframe> has no src (or an empty src), it implicitly loads about:blank. This document inherits the origin of the parent page, allowing the iframe to operate under the same-origin policy. Later dynamically setting src (e.g., via JavaScript) does not re-validate against frame-src, which exposes an elevation-of-privilege vector.
This rule ensures that all <iframe> elements specify a src attribute explicitly in the markup, even if it is a placeholder like "about:blank" or a safe data URL.
An attacker could inject a seemingly harmless <iframe> into your template, then programmatically change its src. Without a defined src at load time, the browser grants it origin privileges that persist after the src is changed, effectively sidestepping CSP.
This rule forbids the following:
<template>
<iframe></iframe>
</template><template>
<iframe {{this.setFrameElement}}></iframe>
</template>This rule allows the following:
<template>
<iframe src='about:blank'></iframe>
</template><template>
<iframe src='/safe-path' {{this.setFrameElement}}></iframe>
</template><template>
<iframe src='data:text/html,<h1>safe</h1>'></iframe>
</template><template>
<iframe src=''></iframe>
</template>If you're dynamically setting the src, pre-populate the element with a secure initial src to ensure CSP applies:
<template>
<iframe src='about:blank' {{this.setFrameElement}}></iframe>
</template>Or, if you know the eventual value ahead of time:
<template>
<iframe src='/iframe-entry' {{this.setFrameElement}}></iframe>
</template>