
If iframes are evil, why do top websites allow ad networks to embed with them? - tones411
Go to your favorite news outlet&#x27;s website, find an ad, right click it and choose Inspect. You&#x27;ll likely see that it was embedded using a cross-domain iframe.<p>If iframes are so evil and insecure, then why are they still allowed to be used by top websites to let third-party ad networks embed ads?<p>Please don&#x27;t ask why I would want to use iframes. I have my reasons for a specific scenario. I know they aren&#x27;t good for SEO, they are hard to resize, hard to debug, present bookmarking concerns, hard to get to look good, etc.<p>I&#x27;m looking for responses strictly from a security standpoint.<p>When used properly with the &quot;x-frames-options&quot; and the right &quot;content-security-policy&quot; headers, are cross-domain iFrames still insecure? If so, can you please point me to documented facts?
======
relaunched
From what I can tell, CSPs and the right options can make iFrames much more
secure; though after working in security for a little while, I'm hesitant to
call anything "Secure". The right configuration can prevent your site from
being embedded into other sites (mitigate clickjacking) and also whitelist
what you can call inbound and outbound. All of these are very good things,
especially when you consider how many 3rd party components are embedded into
modern websites, especially through tags that, basically, allow for code
injection as a feature.

Practically speaking, for larger operations, especially if CSPs aren't
implemented from day one, it can be highly disruptive to implement, if not
done correctly with the will and prioritization of all stakeholders.

------
taf2
iframe is the best option. You don’t want that ad running first party scripts
on the content site your visiting. First party can do anything as the domain
you visit. Iframe is a much better way to prevent content destruction and all
sorts of malicious things if the ad server is compromised

------
billconan
I think iframe is used for security reasons, see
[https://stackoverflow.com/questions/8004001/how-does-
jsfiddl...](https://stackoverflow.com/questions/8004001/how-does-jsfiddle-
allow-and-execute-user-defined-javascript-without-being-danger)

it allows third party scripts to run in a contained environment.

