"An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing"See e.g. https://cloud.google.com/blog/products/data-analytics/iframe-sandbox-tutorialWe set in xooauth/tcl/lti-procs.tcl a restrictive default (all sandboxing restrictions are applied by default). Users should relax it according to their embedded application.xooauth/www/admin/lti-test.tcl is not really a productive file, so we set the already hardcoded value to no-sandboxing and note that this would be appropriate.
Show less