Bug 1266167 - clickjacking is possible on "view all" and "details" attachment pages

2 files changed, 2 insertions, 2 deletions

diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl
index c7d85e270..cb0b1c71a 100644
--- a/template/en/default/attachment/edit.html.tmpl
+++ b/template/en/default/attachment/edit.html.tmpl
@@ -215,7 +215,7 @@
                 %]
               [% ELSE %]
                 <iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]
-                  [%- "&amp;content_type=text/plain" IF attachment.contenttype.match('^text/x-') %]">
+                  [%- "&amp;content_type=text/plain" IF attachment.contenttype.match('^text/x-') %]" sandbox>
                   <b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
                   <a href="attachment.cgi?id=[% attachment.id %]">View the attachment on a separate page</a>.</b>
                 </iframe>
diff --git a/template/en/default/attachment/show-multiple.html.tmpl b/template/en/default/attachment/show-multiple.html.tmpl
index 91768c0d3..c28d5dfd6 100644
--- a/template/en/default/attachment/show-multiple.html.tmpl
+++ b/template/en/default/attachment/show-multiple.html.tmpl
@@ -99,7 +99,7 @@
          classes = 'viewall_frame'
       %]
     [% ELSE %]
-      <iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame">
+      <iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame" sandbox>
         <b>You cannot view the attachment on this page because your browser does not support IFRAMEs.
         <a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b>
       </iframe>