# ember/template-require-iframe-src-attribute 🔧 This rule is automatically fixable by the [`--fix` CLI option](https://eslint.org/docs/latest/user-guide/command-line-interface#--fix). Omitting the `src` attribute from an ` ``` ```gjs ``` This rule **allows** the following: ```gjs ``` ```gjs ``` ```gjs ``` ```gjs ``` ## Migration If you're dynamically setting the `src`, pre-populate the element with a secure initial `src` to ensure CSP applies: ```gjs ``` Or, if you know the eventual value ahead of time: ```gjs ``` ## Related Rules - [require-iframe-title](template-require-iframe-title.md) ## References - [CSP `frame-src` bypass via missing `src`](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-src) - [MDN on `