Types of iFrames and When to Use Them

by Andrew Reed, on Nov 16, 2021 9:00:00 AM

When it comes to safely monetizing your site with ads, there is more than just one tool you can use. Depending on the type of ad and your relationship with the advertiser, you can choose between highly restrictive frames to open frames that allow them access to you edit your site’s main page.

Each of these comes with its benefits and limitations, and knowing the difference between them can help you decide which you are comfortable with, and which you might need to implement when partnering with specific advertisers.

Below we have put together a quick list of the different iFrames, what they are capable of, and what their limitations are:

  • Friendly iframe: or “same-domain iframe”; An iFrame that shares the same domain as the main page it is hosted on. Sharing a domain allows the ad content to “break out” of the iFrame and manipulate content on the publisher’s page.

    Because of this, friendly iFrames should be reserved for advertisers you have a direct and/or trusted relationship with.


  • Unfriendly iFrame: or “cross-domain iFrame”; An Unfriendly iFrame pulls advertisements hosted under a different domain to that of the iFrame tag. Because of the “same-domain policy”, the content within the iFrame is unable to interact with the site it is being hosted on.

    This protects the publisher’s page from unwanted, malicious behavior from third-party JavaScript, but also restricts the publisher from reporting important metrics to advertisers (like viewability, the size of the ad unit, interactive media, and basic performance metrics).

    This is genuinely used for display ads that do not contain rich media and should be implemented when using programmatic advertising; or when the advertiser is unknown and does not require data from the publisher’s site. 


  • SafeFrames: An API-Enabled Unfriendly iFrame that is able to create a line of secure communication between the webpage code and the ad contents. The API allows for some controlled information to be shared between domains while keeping malicious code from injecting onto the site, but still has many restrictions advertisers find unfavorable.

    SafeFrame is a great compromise between friendly and unfriendly iFrames, or when the advertiser is unknown and still requires some information from the publisher's page.

--Article Continues Below--AdOps Guide

--Article Continues Below--


iFrame and SafeFrame Limitations

iFrames and SafeFrames are free, DIY security tools with several drawbacks and limitations, and should only be seen as a baseline security measure for display advertisements.

Platforms and advertisers serving rich media often advise against these highly restrictive frames because they prevent the rich interactions necessary to display more lucrative ad types (i.e. native ads, video players, take-over ads), and often prefer friendly iFrames so their JavaScript can properly interact with the webpage.

And while you are able to serve standard display ads through iFrames and SafeFrame, attackers abusing browser vulnerabilities and cross-site scripting can still break out of the “secure” frames and attack your user with redirects and pop-ups.

More often than not, running a robust advertising campaign will have you using a variety of techniques, frames, and ad types, each leaving your site vulnerable to attacks in unique ways.

The only way to ensure your site is truly protected on every front is to sign up with a team of anti-malvertising experts that offer real-time protection from a variety of attacks.


Partner With an Ad Security Group

Partnering with an ad security group means handing off all your malvertising woes to a team of experts who protect dozens of sites. 

Most ad security groups work with you to build a blocklist out of your third-party attackers, and their ever-growing database of known malicious URLs. 

The issue with this approach is that you are left vulnerable to new attack types malvertisers turn to as old techniques become less effective.

Along with this, because the creative itself is being blocked, you are unable to earn ad impressions or revenue from advertisements on your blocklist.

At cleanAD, our unique script protects your site behaviorally and blocks ads at runtime. This means you are always protected from attacks, even when new ones enter the ecosystem, while also allowing you to still earn ad impressions on malicious creatives.

This not only is great for your overall ad yield but also creates a financial disincentive for malvertisers targeting your site.

If you are struggling with malicious advertising groups, and want to learn more about when our solution can do for you, you get in touch with a salesman and signup for a free 14-day trial here.

New call-to-action

Topics:MalvertisingMalvertising 101Malvertising SolutionsDigital Engagement SecurityAd Revenue

Our blog

Where businesses come to learn more about protecting the points of digital engagement with their customers, audiences and users.

Subscribe to Updates