angular [12.2.x] fix(core): hardening attribute and property binding rules for <iframe> elements

This commit updates the logic related to the attribute and property binding rules for elements. There is a set of <iframe> attributes that may affect the behavior of an iframe and this change enforces that these attributes are only applied as static attributes, making sure that they are taken into account while creating an <iframe>.

If Angular detects that some of the security-sensitive attributes are applied as an attribute or property binding, it throws an error message, which contains the name of an attribute that is causing the problem and the name of a Component where an iframe is located.

BREAKING CHANGE:

Existing iframe usages may have security-sensitive attributes applied as an attribute or property binding in a template or via host bindings in a directive. Such usages would require an update to ensure compliance with the new stricter rules around iframe bindings.

Nov 14 '22 22:11 AndrewKushnir

Caretaker notes:

this PR does not require a presubmit (this is an LTS-only change)
it looks like the components-repo-unit-tests CI job is failing for unrelated reasons

Nov 15 '22 00:11 AndrewKushnir

This issue has been automatically locked due to inactivity. Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}

Dec 22 '22 16:12 angular-automatic-lock-bot[bot]