Iframe and Embedded Content Control

1 min read Web Security Fundamentals

Iframe and Embedded Content Control

<!-- HTML iframe allow attribute -->
<iframe 
    src="https://embed.example.com" 
    allow="camera 'none'; microphone 'none'; geolocation 'self'; payment 'self'"
></iframe>

<!-- Dynamic iframe permissions -->
<script>
function createSecureIframe(src, permissions = {}) {
    const iframe = document.createElement('iframe');
    iframe.src = src;
    
    // Build allow attribute
    const defaultPermissions = {
        camera: "'none'",
        microphone: "'none'",
        geolocation: "'none'",
        payment: "'none'",
        fullscreen: "'none'"
    };
    
    const mergedPermissions = { ...defaultPermissions, ...permissions };
    const allowString = Object.entries(mergedPermissions)
        .map(([feature, value]) => `${feature} ${value}`)
        .join('; ');
    
    iframe.setAttribute('allow', allowString);
    iframe.setAttribute('sandbox', 'allow-scripts allow-same-origin');
    
    return iframe;
}

// Create iframe with specific permissions
const videoFrame = createSecureIframe('https://video.example.com', {
    camera: "'self'",
    microphone: "'self'",
    fullscreen: "'self'"
});

document.body.appendChild(videoFrame);
</script>