No way to set custom attributes on the detect_close IFrame

[UsAndRufus]

Background

Zoid supports adding custom attributes to IFrames. We use this to add csp and sandbox attributes. This is to meet a security requirement for IFrames. However, Zoid also inserts an IFrame with name that's a variant of detect_close. AFAICT, this is being used for Zoid lifecycle detection.

We need this IFrame to either not exist, or allow security attributes to be passed to it. Many infosec teams consider IFrames high-risk, as does our client's. When embedding in a client's website, we want to provide exceptional security and assurance that their webpage and our IFrame is safe. It's clear other Zoid users are also wanting to use security attributes on their IFrames too.

Suggested change

There are two solutions:

• Allow an option to remove this IFrame entirely. We don't use any lifecycle events
• Allow an option to (or by default) apply the attributes hash from zoid.create when creating the detect_close IFrame.

[bluepnume]

This is a totally fair ask.

I'm a little worried about applying attributes.iframe to the second iframe, for backwards compatibility reasons -- but what if we added something like attributes.detectCloseIframe?

Would be happy to accept a PR with something like this.

[UsAndRufus]

A second attributes object totally makes sense. I'll take a look.

[UsAndRufus]

I was unable to get a local build working so probably won't be able to action this unfortunately