Investigate Iframe Script Sandboxing #131
Description
Context: https://web.dev/articles/sandboxed-iframes
We can have scripts load from a separate endpoint inside an iframe, allowing us to easily restrict their behaviour. This solves the security concern of using third-party scripts if the remote script is compromised, however it would only make sense for a subset of scripts.
<iframe sandbox="allow-scripts" src="/__scripts/my-script.html"></iframe>/__scripts/my-script.html
<html>
<script src="https://example.com/my-script.js"></script>
</html>Twitter example
<iframe sandbox="allow-same-origin allow-scripts allow-popups allow-forms"
src="https://platform.twitter.com/widgets/tweet_button.html"
style="border: 0; width:130px; height:20px;"></iframe>