If iframes are evil, why do top websites allow ad networks to embed with them?
5 points by tones411 6 years ago | 3 commentsIf iframes are so evil and insecure, then why are they still allowed to be used by top websites to let third-party ad networks embed ads?
Please don't ask why I would want to use iframes. I have my reasons for a specific scenario. I know they aren't good for SEO, they are hard to resize, hard to debug, present bookmarking concerns, hard to get to look good, etc.
I'm looking for responses strictly from a security standpoint.
When used properly with the "x-frames-options" and the right "content-security-policy" headers, are cross-domain iFrames still insecure? If so, can you please point me to documented facts?
- relaunched 6 years agoFrom what I can tell, CSPs and the right options can make iFrames much more secure; though after working in security for a little while, I'm hesitant to call anything "Secure". The right configuration can prevent your site from being embedded into other sites (mitigate clickjacking) and also whitelist what you can call inbound and outbound. All of these are very good things, especially when you consider how many 3rd party components are embedded into modern websites, especially through tags that, basically, allow for code injection as a feature.
Practically speaking, for larger operations, especially if CSPs aren't implemented from day one, it can be highly disruptive to implement, if not done correctly with the will and prioritization of all stakeholders.
- taf2 6 years agoiframe is the best option. You don’t want that ad running first party scripts on the content site your visiting. First party can do anything as the domain you visit. Iframe is a much better way to prevent content destruction and all sorts of malicious things if the ad server is compromised
- billconan 6 years agoI think iframe is used for security reasons, see https://stackoverflow.com/questions/8004001/how-does-jsfiddl...
it allows third party scripts to run in a contained environment.