Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
If iframes are evil, why do top websites allow ad networks to embed with them?
5 points by tones411 on Jan 30, 2019 | hide | past | favorite | 3 comments
Go to your favorite news outlet's website, find an ad, right click it and choose Inspect. You'll likely see that it was embedded using a cross-domain iframe.

If iframes are so evil and insecure, then why are they still allowed to be used by top websites to let third-party ad networks embed ads?

Please don't ask why I would want to use iframes. I have my reasons for a specific scenario. I know they aren't good for SEO, they are hard to resize, hard to debug, present bookmarking concerns, hard to get to look good, etc.

I'm looking for responses strictly from a security standpoint.

When used properly with the "x-frames-options" and the right "content-security-policy" headers, are cross-domain iFrames still insecure? If so, can you please point me to documented facts?




From what I can tell, CSPs and the right options can make iFrames much more secure; though after working in security for a little while, I'm hesitant to call anything "Secure". The right configuration can prevent your site from being embedded into other sites (mitigate clickjacking) and also whitelist what you can call inbound and outbound. All of these are very good things, especially when you consider how many 3rd party components are embedded into modern websites, especially through tags that, basically, allow for code injection as a feature.

Practically speaking, for larger operations, especially if CSPs aren't implemented from day one, it can be highly disruptive to implement, if not done correctly with the will and prioritization of all stakeholders.


iframe is the best option. You don’t want that ad running first party scripts on the content site your visiting. First party can do anything as the domain you visit. Iframe is a much better way to prevent content destruction and all sorts of malicious things if the ad server is compromised


I think iframe is used for security reasons, see https://stackoverflow.com/questions/8004001/how-does-jsfiddl...

it allows third party scripts to run in a contained environment.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: