Types of iFrames and When to Use Them

by Andrew Reed, on Nov 16, 2021 9:00:00 AM

When it comes to safely monetizing your website with ads, there is more than just one tool you can use. Depending on the type of ad and your relationship with the advertiser, you can choose between highly restrictive frames to open frames that allow them access to you edit your site's main page.

But first, let's start with the basics.

What Are iFrames?

An iFrame, also knowns as Inline Frame, is an element that loads another HTML element inside of a web page. They are commonly used to embed specific content like external ads, videos, tags, or other interactive elements into the html code on a page.


Each type of iFrame code comes with its benefits and limitations, and knowing the difference between them can help you decide which you are comfortable with, and which you might need to implement when partnering with specific advertisers and embedded content.

Below we have put together a quick list of the different iFrames, what they are capable of, and what their limitations are:

  • Friendly iFrame: or "same-domain iframe"; An iFrame that shares the same domain as the main page it is hosted on. Sharing a domain allows the ad content to "break out" of the iFrame and manipulate content on the publisher's page.

Because of this, friendly iFrames should be reserved for advertisers and scripts you have a direct and/or trusted relationship.

  • Unfriendly iFrame: or "cross-domain iFrame"; An Unfriendly iFrame code pulls advertisements hosted under a different domain to that of the iFrame tag. Because of the "same-domain policy", the content within the iFrame is unable to interact with the site it is being hosted on.

This protects the publisher's page and iFrame content from unwanted, harmful ads from malicious websites and their third-party JavaScript, but also restricts the publisher from reporting important metrics to advertisers (like viewability, the size of the ad unit, interactive media, and basic performance metrics).

This is genuinely used for display ads that do not contain rich media and should be implemented when using programmatic advertising; or when the advertiser is unknown and does not require data from the publisher's site.

  • SafeFrames : An API-Enabled Unfriendly iFrame that is able to create a line of secure communication between the webpage code and the ad contents. The API allows for some controlled information to be shared between domains while keeping malicious code from injecting onto the site, but still has many restrictions advertisers find unfavorable.

SafeFrame is a great compromise between friendly and unfriendly iFrames, or when the advertiser is unknown and still requires some information from the publisher's page in order to embed code.

--Article Continues Below--AdOps Guide

--Article Continues Below--


iFrame and SafeFrame Limitations

iFrames and SafeFrames are free, DIY security tools with several drawbacks and limitations, and should only be seen as a baseline security measure for display advertisements.

Platforms and advertisers serving rich media often advise against these highly restrictive frames because they prevent the rich interactions necessary to display more lucrative ad types (i.e. native ads, video players, take-over ads), and often prefer friendly iFrames so their JavaScript can properly interact with the webpage.

And while you are able to serve standard display ads through iFrames and SafeFrame, attackers abusing browser vulnerabilities and cross-site scripting can still break out of the "secure" frames and attack your user with redirects and pop-ups.

More often than not, running a robust advertising campaign will have you using a variety of techniques, frames, and ad types, each leaving your site vulnerable to attacks in unique ways.

The only way to ensure each frame and your site is truly protected on every front is to sign up with a team of anti-malvertising experts that offer real-time protection from a variety of attacks.

Partner With an Ad Security Group

Partnering with an ad security group means handing off all your malvertising woes to a team of experts who protect dozens of sites.

Most ad security groups work with you to build a blocklist out of your third-party attackers, and their ever-growing database of known malicious URLs.

The issue with this approach is that you are left vulnerable to new attack types malvertisers turn to as old techniques become less effective.

Along with this, because the creative itself is being blocked, you are unable to earn ad impressions or revenue from advertisements on your blocklist.

At cleanAD, our unique script protects your site behaviorally and blocks ads at runtime. This means you are always protected from attacks, even when new ones enter the ecosystem, while also allowing you to still earn ad impressions on malicious creatives.

This not only is great for your overall ad yield but also creates a financial disincentive for malvertisers targeting your site.

If you are struggling with malicious advertising groups, and want to learn more about what our solution can do for you, you get in touch with a salesman and signup for a free 14-day trial here.

New call-to-action

Topics:MalvertisingMalvertising 101Malvertising SolutionsDigital Engagement SecurityAd Revenue

Our blog

Where businesses come to learn more about protecting the points of digital engagement with their customers, audiences and users.

Subscribe to Updates