Does SafeFrame Work Against Malvertising?
by Nick Carlson, on Oct 12, 2021 9:00:00 AM
Protecting your website from malvertisers and bad ads is crucial to your user experience, site metrics, and overall ad yield.And while the malvertising ecosystem is vast and complex, there are a couple of DIY solutions that offer reasonable protection from basic advertising attacks.
If you are publishing over Google, which you more than likely are, many of these security features come with the platform, including SafeFrame, a secure API enabled iFrame that allows communication between an advertiser’s ad, and the website they are publishing on.
What is SafeFrame?
To fully explain what SafeFrame is and how it works, we need to start with an explanation of iFrames.
iFrames are the space on your webpage that ads are served into, and protect your webpage by preventing advertisers from interacting with the code on your site.
This is because iFrames load content from different domains, known as “cross-domain”, and basic browser security prevents content from different domains from interacting with or interrupting each other, known as same origin policy.
Essentially, iFrames work as windows on your site that display content from other domains.
The issue with iFrames is that because advertisers are prevented from interacting with data and script in the parent frame (being the rest on the webpage the iFrame is placed in), they are also unable to track viewability metrics and other tracking data that allows them to know how their ad is performing.
This is why SafeFrame is introduced by the IAB, and is essentially an iFrame with an API, allowing advertisers to request data without needing access to a publisher’s webpage.
An API (Application Programming Interface) is how all applications are able to communicate with each other, from email and texting, to databases and form requests.
By adding this functionality, advertisers can now have limited tracking capabilities while also being able to correctly shape and size their ads to fit the frame, something iFrames do not allow.
-- Article Continues Below --
-- Article Continues Below --
Drawbacks of SafeFrame
While SafeFrame seems like a great final solution to malvertising, it still has a number of drawbacks that leave you vulnerable to malicious attacks.
The most stark drawbacks are:
Browser vulnerabilities and cross-site scripting attacks
These vulnerabilities can lie unpatched for extended periods of time, and even when browsers update and patch issues, users don’t always update their browsers. Once vulnerabilities get patched, it is only a matter of time before bad actors find another hole to go through.
Inability to protect mobile redirects
Mobile browsers may lack the features required for SafeFrames work, or have other security vulnerabilities that make it easier to bypass SafeFrames.
Does not report viewability metrics
SafeFrame does not directly report viewability metrics, the API only allows for access to information the advertiser can use to determine whether or not the SafeFrame container is "in view."
Protecting Your Site
SafeFrame is an effective security measure, but should only be considered as a necessary baseline security. Sophisticated and determined attackers know their way around these kinds of free, DIY solutions, and need to be dealt with more advanced solutions.
Partnering with an ad security group is the best way to fight back against malicious advertisers. But even the largest security companies rely on tactics like blocklisting and verification that bad actors can easily circumvent.
If you are experiencing ad attacks, and are watching your site metrics and ad revenue plummet, you can sign up for a free 14-day cleanAD trial here.