Why not to use iframes for embedded dashboards (opens in new tab)

> Security teams have raised red flags about iframes for years. Cross-frame scripting, clickjacking, and credential phishing are common exploits, since the frame executes third-party code inside your trusted domain

I would disagree.

Yes iframes have security risks, but they generally pale in comparison to giving some other random site full control of your page, which is the alternative.

> Your end users expect brand-consistent dashboards that match the host app down to the smallest pixel.

Is that really true? Aren't most end users now used to, e.g., YouTube and Twitter iframes looking exactly the same everywhere, no matter what the surrounding site looks like?

It was a hard requirement for us to make our dev tool 100% embeddable without iframes. From the vendor's perspective, it's an opportunity to differentiate from competitors and avoid potential future iframe limitations that others have mentioned.

This was my instinct when we first started, and years later, on 50% of sales calls someone asks if we use iframes (as a concern). Our enterprise clients don't want to highlight a third-party solution, and iframes scream "not native" to their users.

The technical challenges of avoiding iframes are real, but the business case for solving them has been clear for us.

We just use Observable Framework https://github.com/observablehq/framework

I think iframes are pretty darn handy and it's really not that hard to leverage their strengths in a secure manner.

Their product is listed as the best alternative.

I keep revisiting this approach over and over again - I don't know, maybe I never learn. I'm not interested in analytics dashboards, my context is more around stringing together prototype/poc services into workflow pipelines. The idea usually is along the lines of "have an orchestrator service that knows what the user is trying to do, and serves a sequence of specific, embedded micro-UIs backed by services that implement each step of the overall process". I can't seem to shake this "do one thing and do it well" unix motto, and keep wanting to bring it over to UX design.

This is incredible. Thank you so much for making this so I never have to explain this again

My experience reading this article was being confused about why someone is listing all the drawbacks with i-frames - even obscure drawbacks that most people would not ever encounter. Then I noticed it’s just an Ad for their product.

I think this kind of blog post should be illegal - there needs to be a disclosure at the beginning, ie, this is informative but it’s also an advertisement. Then I would know to not read any further.

I-frames are actually pretty useful tools. They’re the only way to allow HTML content from another site to exist on your site without trusting or sanitizing it. They actually work pretty well for dashboards.

They come with some serious drawbacks, most notably, not being able to edit the content of the iframe.

I generally prefer using an API or a npm module so I can customize the content of the iframe.

i don't understand this product - i feel like tools like v0 can one-shot an analytics dashboard these days. i do think something like https://upsolve.ai/ provides real value though

Oh it's more analytics crap.