With this attribute set, the document inside the iframe cannot do any of the following:
- Change the parent's URL
- Open pop-ups, new windows, or new tabs
- Submit forms
- Run plug-ins
- Use pointer lock
- Read cookies or local storage from the parent, even if it's from the same origin
This is a good starting point for securing an iframe. Then, as you determine what things it needs to perform its normal functions, you can enable just those features. The sandbox attribute gives us this capability, by allowing you to specify a space-separated list of permissions, with one or more of the following choices.
allow-same-origin- allows the iframe to access cookies and local storage from the parent, as if it came from the same domain.
allow-top-navigation - allows the iframe to navigate the parent to a different URL.
allow-forms - allows form submission
allow-popups - allows the iframe to open new windows or tabs
allow-pointer-lock - allows pointer lock
In the case of the Tinfoil Security badge, the iframe contains a single image that links to a page. This page opens in a new tab or window and shows that your site is verified. The iframe doesn't need to perform any additional task, so it shouldn't be allowed to do anything except open pop-ups.