diff --git a/.storybook/addons/codeEditorAddon/codeAddon.js b/.storybook/addons/codeEditorAddon/codeAddon.js
index 44b8366c6a..b19f2aefbc 100644
--- a/.storybook/addons/codeEditorAddon/codeAddon.js
+++ b/.storybook/addons/codeEditorAddon/codeAddon.js
@@ -228,6 +228,14 @@ export const withCodeEditor = makeDecorator({
const loadEditorContent = () => {
const storyElement = document.createElement('iframe');
+ // Security: sandbox the iframe to restrict capabilities.
+ // allow-same-origin is required for ES module loading; exfiltration is
+ // blocked by the CSP meta tag injected below.
+ storyElement.setAttribute(
+ 'sandbox',
+ 'allow-scripts allow-same-origin allow-popups allow-popups-to-escape-sandbox allow-forms'
+ );
+
storyElement.addEventListener(
'load',
() => {
@@ -242,6 +250,18 @@ export const withCodeEditor = makeDecorator({
const docContent = `
+