Why Are Iframes Considered Dangerous and a Security Risk

Why are iframes considered dangerous and a security risk?

As soon as you're displaying content from another domain, you're basically trusting that domain not to serve-up malware.

There's nothing wrong with iframes per se. If you control the content of the iframe, they're perfectly safe.

Security Risks of Including a 3rd Party iFrame

If you are implementing Iframes on your website, you could use the sandbox tag in HTML5' iframe to prevent yourself/others on your website.

Source: http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox

I don't know how effective it is (the sandbox feature), but it states it can restrict scripts, forms etc inside the iframe.

<iframe sandbox="" src="www.example.com"/>

Although not a guaranteed and effective method, it's one of many different ways. On your end though, you could use add-ons such as NoScript to prevent certain/all scripts from running.

It's possible that the 3rd party iframe, as you said, could use exploits such as drive-by-downloads, browser exploits to gain access to your OS and possibly more.

See also here: Why are iframes considered dangerous and a security risk?

Hope this helps.

Are iframes considered 'bad practice'?

As with all technologies, it has its ups and downs. If you are using an iframe to get around a properly developed site, then of course it is bad practice. However sometimes an iframe is acceptable.

One of the main problems with an iframe has to do with bookmarks and navigation. If you are using it to simply embed a page inside your content, I think that is fine. That is what an iframe is for.

However I've seen iframes abused as well. It should never be used as an integral part of your site, but as a piece of content within a site.

Usually, if you can do it without an iframe, that is a better option. I'm sure others here may have more information or more specific examples, it all comes down to the problem you are trying to solve.

With that said, if you are limited to HTML and have no access to a backend like PHP or ASP.NET etc, sometimes an iframe is your only option.

What are the security vulnerabilities (if any) with using HTML5 iframes

HTML5 iframes have sandboxing technology built in, but you have to enable it first. This means that XSS won't be an option, so if you're making iframe widgets that handle personal information, like Facebook do, as long as you do the usual stuff, there's nothing you should be concerned about.


Related Topics

How to Fit an Image (Img) Inside a Div and Keep the Aspect Ratio

Input Size VS Width

Flexbox Alternative for IE9

Align Labels in Form Next to Input

CSS Table-Cell Equal Width

How to Escape Double Quotes in a Title Attribute

Remove Outline from Select Box in Ff

How to Put an Input Element on the Same Line as Its Label

How to Get Rid of Extra Space Below Svg in Div Element

How to Make Div Occupy Remaining Height

:Not(:Empty) CSS Selector Is Not Working

Border Style Do Not Work with Sticky Position Element

Div 100% Height Works on Firefox But Not in Ie

Are Iframes (Html) Obsolete

Second Line in Li Starts Under the Bullet After CSS-Reset

How to Position a Div Scrollbar on the Left Hand Side

How to Simulate Placeholder Functionality on Input Date Field

Required Attribute Not Work in Safari Browser


Leave a reply



Submit