Attach 'sandbox' attribute to dynamically created iframe to stop redirects

Question

We use Google DFP to serve ads on our site from many different ad networks. The issue is scammers have been able to somehow create ads which automatically redirect users away from our site.

I want to find a way to stop redirects from being possible as the ad networks don't seem to be fixing this issue. They simply remove the ad when found and then another one crops up. One solution I've come up with is to add the 'sandbox' attribute to Google's iframe. From my testing this seems to work.

example:

<iframe id="testframe" src="/test.htm"></iframe>
<script>
  $('#testframe')[0].sandbox="allow-scripts";
</script>

/test.htm

<script>
  top.location.href = "http://yahoo.com";
  alert('javascript still works but no redirect!');
</script>

The thing is though DFP tags are javascript based so I don't know how to attach the 'sandbox' attribute to their iframe which is dynamically created. How do I add this attribute when the iframe is created but before it loads? Or do you have another solution to stop redirects from ads?

example of DFP tag

<div id='dfp-ad-ad_name'>
<script type='text/javascript'> 
googletag.cmd.push(function() { googletag.display('dfp-ad-ad_name'); }); 
</script> 
</div>

Answer 1

According to the GPT documentation, you should be able to make your injected iframes sandboxed by specifying

setSafeFrameConfig({sandbox: true})

Which can be used on a single slot level or on a global page level.

Not sure if this will effectively prevent malicious banners from redirecting the browser, but it may be worth trying.