Types of iFrames and when to use them

An iFrame is a dedicated space in between the content of a publisher’s page that acts like a window to an advertiser’s content. This is the way the online advertisements are typically served to viewers.

iFrames allow content from a separate domain to be loaded onto a site independently, completely isolated from the rest of the content on the page.

This isolation protects the publisher’s page from unwanted interruptions or threats to the user’s experience, but also gives very limited functionality to the advertiser.

Mainly, iFrames prevent advertisers from making changes to the size and shape of their ad, while also preventing advertisers from tracking viewability metrics. Beyond this, because the ad is trapped within the iFrame, rich media cannot be interacted with when placed inside an iFrame.

When it comes to safely monetizing your site with ads, there are several different types of iFrames you can use. Depending on the type of ad and your relationship with the advertiser, you can choose between highly restrictive frames to open frames that allow them access to you edit your site’s main page.

Each of these comes with its benefits and limitations, and knowing the difference between them can help you decide which you are comfortable with, and which you might need to implement when partnering with specific advertisers.

Below we have put together a quick list of the different iFrames, what they are capable of, and what their limitations are:

• Friendly iframe: or “same-domain iFrame”; An iFrame that shares the same domain as the main page it is hosted on. Sharing a domain allows the ad content to “break out” of the iFrame and manipulate content on the publisher’s page.Because of this, friendly iFrames should be reserved for advertisers you have a direct and/or trusted relationship with.
• Unfriendly iFrame: or “cross-domain iFrame”; An Unfriendly iFrame pulls advertisements hosted under a different domain to that of the iFrame tag. Because of the “same-domain policy,” the content within the iFrame is unable to interact with the site it is being hosted on. This protects the publisher’s page from unwanted, malicious behavior from third-party JavaScript, but also restricts the publisher from reporting important metrics to advertisers (like viewability, the size of the ad unit, interactive media, and basic performance metrics). Cross-domain iFrames are generally used for display ads that do not contain rich media and should be implemented when using programmatic advertising; or when the advertiser is unknown and does not require data from the publisher’s site.

• SafeFrames: An API-enabled Unfriendly iFrame that is able to create a line of secure communication between the webpage code and the ad contents. The API allows for some controlled information to be shared between domains while keeping malicious code from injecting onto the site, but still has many restrictions advertisers find unfavorable.SafeFrame is a great compromise between friendly and unfriendly iFrames, or when the advertiser is unknown and still requires some information from the publisher’s page.

To navigate around iFrame limitations, publishers will allow advertisers and ad networks to place JavaScript on their webpage to facilitate ad delivery, interactive media, and viewability tracking.

This might sound like a great final solution, but in order to function properly JavaScript reads all the data on a webpage.

This means they have access to read and potentially steal stored private information (customer emails, credit card numbers, etc.), as well as implement forced redirects or create interactions that break page functionality by making changes to your site’s code.

Until SafeFrame, publishers had to simply trust advertisers not implement such malicious code, and distance themselves from the ones who did.

The solution to this was adding API functionality to iFrames, thus creating SafeFrame.

API stands for Application Programming Interface. APIs are the software that allows for two applications to talk to each other and are the backbone of almost all interconnectivity on the internet.

Whenever you text, email, or search online, your message is sent across a secure API between your device and another.

For example, when you go to check the weather online (either on your phone or desktop), your device sends data (your zip code or geolocation) to the weather group’s data server and requests data (your area’s forecast) to be sent back to you.

The way this data is communicated is over an API.

By applying this to an iFrame, SafeFrame has created a secure line of communication between advertisers and publishers, where publishers can control what information is sent to the advertiser.

While SafeFrame is an effective solution to protecting your site from malicious advertisers, it still comes with a number of drawbacks.

For instance, viewability metrics still cannot be shared over SafeFrames. While advertisers are able to manipulate the size and shape of their ads, rich media content can still struggle to load properly.

This leads many publishers to continue to allow advertisers to write JavaScript on their sites.
Not only this, but SafeFrames is roughly 10 years old, and even with its updates is not without vulnerabilities.

The most sophisticated malvertisers are masters of online advertising, and can and will find vulnerabilities in your site to attack your users.

If you want true protection from bad actors, and also be able to offer advertisers rich media ads, viewability metrics, and the ability to customize the size and shape of their ads, partnering with an ad security company is your best bet.

iFrames and SafeFrames are free, DIY security tools with several drawbacks and limitations, and should only be seen as a baseline security measure for display advertisements.

Platforms and advertisers serving rich media often advise against these highly restrictive frames because they prevent the rich interactions necessary to display more lucrative ad types (i.e. native ads, video players, take-over ads), and often prefer friendly iFrames so their JavaScript can properly interact with the webpage.

And while you are able to serve standard display ads through iFrames and SafeFrame, attackers abusing browser vulnerabilities and cross-site scripting can still break out of the “secure” frames and attack your user with redirects and pop-ups.

More often than not, running a robust advertising campaign will have you using a variety of techniques, frames, and ad types, each leaving your site vulnerable to attacks in unique ways.

The only way to ensure your site is truly protected on every front is to sign up with a team of anti-malvertising experts that offer real-time protection from a variety of attacks.

HUMAN Malvertising Defense provides an impenetrable layer of security, without the limitations of iFrames. Our on-page script blocks malicious ad creative at runtime, while still allowing ad impressions to fire. This means you still earn ad impressions and revenue, and can communicate performance. This not only preserves your overall ad yield, but also creates a financial disincentive for malvertisers targeting your site.

Video stuffing ads: how they erode ad revenue & protection against them

Auto redirects: what they are, how they work, and how they hurt your ad revenue

How to make malvertisers pay