Kilotest: Diagnoses of iframe sandbox attributes risky violation by HTML element 1051 on CVS Health page

Basics

About the CVS Health page

• URL: https://www.cvshealth.com/
• Tested 26 days ago by job q18 on 2026-05-06 at 17:48

About HTML element 1051

• Tag name: IFRAME
• Text: Skip to main content … © Copyright 1999 - 2025 CVS Health
• Start tag: <iframe sandbox="allow-scripts allow-same-origin" title="Adobe ID Syncing iFrame" id="destination_publishing_iframe_cvs_0" name="destination_publishing_iframe_cvs_0_name" src="https://cvs.demdex.net/dest5.html?d_nsid=0#https%3A%2F%2Fwww.cvshealth.com" class="aamIframeLoaded" style="display: none; width: 0px; height: 0px;">
• XPath: /html/body/iframe[1]
• Bounding box: x = 0, y = 0, width = 0, height = 0

Take me there

About the iframe sandbox attributes risky issue

• Why it matters: Document may be unsafe to use
• Priority: low
• Related WCAG standard: 4.1

Diagnoses

Here is how tools diagnose the iframe sandbox attributes risky issue for HTML element 1051 of the CVS Health page.

1. Potentially bad value allow-scripts allow-same-origin for attribute sandbox on element iframe: Setting both allow-scripts and allow-same-origin is not recommended, because it effectively enables an embedded page to break out of all sandboxing.

   Tool: Html Checker API (World Wide Web Consortium)