fix(compiler): disallow translations of iframe src

crisbeto · mattrbeck · commit 78dea55351fb · 2026-03-12T11:01:26.000-06:00
Fixes that the compiler was allowing translations of `src` attributes in iframes which can be a security issue.
diff --git a/packages/compiler/src/schema/trusted_types_sinks.ts b/packages/compiler/src/schema/trusted_types_sinks.ts
@@ -11,7 +11,7 @@
  * tags use '*'.
  *
  * Extracted from, and should be kept in sync with
- * https://w3c.github.io/webappsec-trusted-types/dist/spec/#integrations
+ * https://www.w3.org/TR/trusted-types/#integrations
  */
 const TRUSTED_TYPES_SINKS = new Set<string>([
   // NOTE: All strings in this set *must* be lowercase!
@@ -25,6 +25,7 @@ const TRUSTED_TYPES_SINKS = new Set<string>([
 
   // TrustedScriptURL
   'embed|src',
+  'iframe|src',
   'object|codebase',
   'object|data',
 ]);
diff --git a/packages/compiler/test/schema/trusted_types_sinks_spec.ts b/packages/compiler/test/schema/trusted_types_sinks_spec.ts
@@ -13,6 +13,7 @@ describe('isTrustedTypesSink', () => {
     expect(isTrustedTypesSink('iframe', 'srcdoc')).toBeTrue();
     expect(isTrustedTypesSink('p', 'innerHTML')).toBeTrue();
     expect(isTrustedTypesSink('embed', 'src')).toBeTrue();
+    expect(isTrustedTypesSink('iframe', 'src')).toBeTrue();
     expect(isTrustedTypesSink('a', 'href')).toBeFalse();
     expect(isTrustedTypesSink('base', 'href')).toBeFalse();
     expect(isTrustedTypesSink('div', 'style')).toBeFalse();
