If iframes are evil, why do top websites allow ad networks to embed with them?

5 pointstones4117y ago3 comments

Go to your favorite news outlet's website, find an ad, right click it and choose Inspect. You'll likely see that it was embedded using a cross-domain iframe.

If iframes are so evil and insecure, then why are they still allowed to be used by top websites to let third-party ad networks embed ads?

Please don't ask why I would want to use iframes. I have my reasons for a specific scenario. I know they aren't good for SEO, they are hard to resize, hard to debug, present bookmarking concerns, hard to get to look good, etc.

I'm looking for responses strictly from a security standpoint.

When used properly with the "x-frames-options" and the right "content-security-policy" headers, are cross-domain iFrames still insecure? If so, can you please point me to documented facts?

3 comments

relaunched7y ago

From what I can tell, CSPs and the right options can make iFrames much more secure; though after working in security for a little while, I'm hesitant to call anything "Secure". The right configuration can prevent your site from being embedded into other sites (mitigate clickjacking) and also whitelist what you can call inbound and outbound. All of these are very good things, especially when you consider how many 3rd party components are embedded into modern websites, especially through tags that, basically, allow for code injection as a feature.

Practically speaking, for larger operations, especially if CSPs aren't implemented from day one, it can be highly disruptive to implement, if not done correctly with the will and prioritization of all stakeholders.

taf27y ago

iframe is the best option. You don’t want that ad running first party scripts on the content site your visiting. First party can do anything as the domain you visit. Iframe is a much better way to prevent content destruction and all sorts of malicious things if the ad server is compromised

billconan7y ago

I think iframe is used for security reasons, see https://stackoverflow.com/questions/8004001/how-does-jsfiddl...

it allows third party scripts to run in a contained environment.

j / k navigate · click thread line to collapse