SafeFrame Vs. cleanAD

by Andrew Reed, on Nov 9, 2021 10:25:56 AM

SafeFrame has been a growing staple of anti-malvertising protection since its inception six years ago, but the API-enabled iFrame is not always enough to keep your site protected.

As with any DIY solution, SafeFrame effectiveness will be limited by the scope of its capabilities.

Cross-site scripting, mobile redirects, and other attacks that can escape sandboxing will not be prevented by SafeFrame and often need a more precise approach in order to eliminate them from your site.


How SafeFrame Protects Your Site

SafeFrame is an API-Enabled iFrame that allows the publisher’s site to communicate data to the advertiser without giving the advertiser access to the site's main page, reducing the risk of malicious content on your site.

iFrames, in their most basic terms, act as windows to other domains, allowing content from other URLs to be shared on your webpage.

This allows advertisers to share content on your webpage, but the “same-domain policy” used by most browsers prevents content from different URLs from gaining access to each other's information and content  

This way, publishers can display ads on their site while mitigating the risk of malvertisers gaining access to their site, forcing redirects, and stealing valuable private information from their users.

But the same restrictions that protect your site also limit the abilities of advertisers.

Because advertisers can no longer communicate with your site, they can no longer properly scale their ads within it and lose the ability to obtain viewability metrics, which many advertisers rely on to understand the success of their ads and the value of your website.

This is where SafeFrame comes in, adding an API to iFrames that allows it to securely communicate between the advertisers and the publisher's site.

API, standing for Application Programming Interface, is the software that allows for two applications to talk to each other and is the backbone of almost all interconnectivity on the internet.

Whenever you text, email, or search online, your message is sent across a secure API between your device and another. 

For example, when you go to check the weather online (either on your phone or desktop), your device sends data (your zip code or geolocation) to the weather group’s data server and requests data (your area's forecast) to be sent back to you.

The way this data is communicated is over an API.

By applying this to an iFrame, SafeFrame has created a secure line of communication between advertisers and publishers, where publishers can control what information is sent to the advertiser. 

--Article Continues Below--

New call-to-action

--Article Continues Below--

Drawbacks of SafeFrame

While SafeFrame sounds like a great final solution to malvertising, it still has a number of drawbacks that leave you vulnerable to sophisticated malicious attacks.

Browsers will often have vulnerabilities that allow attackers to escape the SafeFrame and inject malicious JavaScript into your site. This is accomplished through cross-site scripting attacks that allow attacks to work around the same-origin policy. 

These vulnerabilities can lie unpatched for extended periods of time. And even when a browsers’ update patches the issue, users aren’t always reliable when it comes to updating their tech. Once vulnerabilities get patched, it is only a matter of time before bad actors find another hole to go through.

Stripped-down mobile browsers may also lack the features required for SafeFrames work, or have other security vulnerabilities that make it easier to bypass SafeFrames.

And finally. SafeFrame does not directly report viewability metrics. The API only allows for access to information the advertiser can use to determine whether or not the SafeFrame container is "in view."

This may be acceptable information for some advertisers, but those looking for detailed reporting will avoid this kind of approach.


Teaming Up With Clean AD

If you are seeing malicious attacks coming through your webpage, even with SafeFrames enabled, and are looking for a more reliable solution, your next step is to partner with a group of ad security experts.

Traditional anti-malvertising groups rely on blocklisting dangerous URLs (which you may already be doing on your own) and preventing them from advertising on your site. 

But this approach is easily countered by bad actors who can quickly swap out the blocked URL for new ones. This reactionary approach keeps you in a constant cycle of playing whack-a-mole with malicious advertisers.

Beyond this, because the ad is only blocked after being rendered on your page, ad impressions can not be earned and your revenue per page view decreases as a result.

Unlike either of these tools, cleanAD is able to behaviorally detect malicious ads on runtime, keeping you protected from any and all attacks, while also allowing ad impression pixels to fire.

Dangerous, sophisticated ads may make it past iFrames, SafeFrame, and blocklists, but clean keeps your website safe no matter the attack and keeps you earning revenue from the dangerous ads you block.

If you are struggling with malicious attacks, and are tired of tracking down and playing whack-a-mole with malicious actors, sign up for a free 14-day free cleanAD trial here.



New call-to-action

Topics:MalvertisingMalvertising 101Ad Revenue

Our blog

Where businesses come to learn more about protecting the points of digital engagement with their customers, audiences and users.

Subscribe to Updates