diff --git a/public/docs/release-notes.md b/public/docs/release-notes.md
index 3fa12931..9f7b6f78 100644
--- a/public/docs/release-notes.md
+++ b/public/docs/release-notes.md
@@ -14,6 +14,7 @@
 - Ignore the healthcheck endpoint in the "too busy" limiter
 - Send the referrer origin for YouTube embeddings due to their requirement
 - Force kill the server after a timeout when waiting for the realtime server to close connections on shutdown
+- Secure iframes with `credentialless` and `sandbox` attributes
 - Fix regexes for `[time=...]`, `[name=...]` and `[color=...]` shortcodes in lists
 
 ## <i class="fa fa-tag"></i> 1.10.3 <i class="fa fa-calendar-o"></i> 2025-04-09
diff --git a/public/js/extra.js b/public/js/extra.js
index c2a4c367..fc2405cd 100644
--- a/public/js/extra.js
+++ b/public/js/extra.js
@@ -461,7 +461,7 @@ export function finishView (view) {
       inner.attr('target', '_blank')
       $(value).append(inner)
     })
-    // pdf
+  // pdf
   view.find('div.pdf.raw').removeClass('raw')
     .each(function (key, value) {
       const url = $(value).attr('data-pdfurl')
@@ -471,7 +471,12 @@ export function finishView (view) {
         height: '400px'
       })
     })
-    // syntax highlighting
+  // iframe
+  view.find('iframe')
+    .each((key, value) => {
+      $(value).attr('credentialless', '').attr('sandbox', '')
+    })
+  // syntax highlighting
   view.find('code.raw').removeClass('raw')
     .each((key, value) => {
       const langDiv = $(value)