diff --git a/changelog/unreleased/iframe-sandbox-drawio.md b/changelog/unreleased/iframe-sandbox-drawio.md
new file mode 100644
index 00000000000..29641578093
--- /dev/null
+++ b/changelog/unreleased/iframe-sandbox-drawio.md
@@ -0,0 +1,5 @@
+Bugfix: Apply sandbox attribute to iframe in draw-io extension
+
+General hardening of ownCloud Web
+
+https://github.com/owncloud/web/pull/10702
diff --git a/packages/web-app-draw-io/src/App.vue b/packages/web-app-draw-io/src/App.vue
index 2076e4333a7..c03554026ad 100644
--- a/packages/web-app-draw-io/src/App.vue
+++ b/packages/web-app-draw-io/src/App.vue
@@ -4,8 +4,10 @@
     ref="drawIoEditor"
     :src="iframeSource"
     :title="$gettext('Draw.io editor')"
+    sandbox="allow-scripts allow-same-origin"
   />
 </template>
+
 <script lang="ts">
 import qs from 'qs'
 import {