This commit updates the logic related to the attribute and property binding rules for <iframe> elements. There is a set of <iframe> attributes that may affect the behavior of an iframe and this change enforces that these attributes are only applied as static attributes, making sure that they are taken into account while creating an <iframe>.
If Angular detects that some of the security-sensitive attributes are applied as an attribute or property binding, it throws an error message, which contains the name of an attribute that is causing the problem and the name of a Component where an iframe is located.
BREAKING CHANGE:
Existing iframe usages may have security-sensitive attributes applied as an attribute or property binding in a template or via host bindings in a directive. Such usages would require an update to ensure compliance with the new stricter rules around iframe bindings.
PR Close#47964
tsec is a static analyzer that discovers Trusted Types violations.
Deploy tsec to make sure there will be no TT regression in several
critical packages, including core, platform-browser, platform-server
and their dependencies. Existing violations have been reviewed and
exempted in packages/tsec-exemption.json. Future changes to the
exemption list requires security review.
PR Close#43108
