Hi!

This one comes from TinyMCE rather than Optimizely. Starting with TinyMCE 6.8.1, there’s a new option called sandbox_iframes that adds a sandbox="" attribute to iframes for security reasons. Since TinyMCE 7.0.0 (which is what’s included in EPiServer.CMS.TinyMce v5.0+), this option is turned on by default. That’s why your iframe keeps resetting to sandbox="" even if you edit it manually in the source code or media dialog.

The fix

TinyMCE now has a whitelist option called sandbox_iframes_exclusions. By adding your own domain to this list, TinyMCE will stop applying the sandbox attribute to your iframe.

How to configure it in Optimizely CMS

In your TinyMCE settings, just extend the default exclusions list to include your own domain:

config.Default()
    .AddEpiserverSupport()
    .AddSetting("sandbox_iframes_exclusions", new[] {
        "youtube.com",
        "youtu.be",
        "vimeo.com",
        "player.vimeo.com",
        "dailymotion.com",
        "embed.music.apple.com",
        "open.spotify.com",
        "giphy.com",
        "dai.ly",
        "codepen.io",
        "your.site.com" // <-- Add your domain here
    });

Alternative: disable sandboxing

If you prefer, you can also set:

.AddSetting("sandbox_iframes", false)

This turns off iframe sandboxing entirely. It works, but it’s less secure since it removes protection against potentially harmful iframes.

Per-property configuration

Another option is to configure TinyMCE settings per property/editor instance instead of globally. That way, you could allow sandboxing in most places but disable it (or exclude your domain) only where it’s really needed.

Hope that helps!