What is a SafeFrame Container Used for?

by Andrew Reed, on Sep 29, 2021 9:00:00 AM

SafeFrame containers are a special type of iFrame that is used to protect online advertising publishers websites from malicious advertising, while still allowing for some customization and communication between the publisher and advertiser.

This is made possible by enabling a secure API to the iFrame, giving limited communication between domains without compromising the publisher's webpage.

Sounds a bit confusing? Let's break it down. 



In online advertising, ads are typically served into something called an iFrame, which is a dedicated space in between the content of a publisher's page that acts like a window to an advertiser's content.

iFrames allow content from a separate domain to be loaded onto a site independently, completely isolated from the rest of the content on the page.

iFrame on Factinate

This isolation protects the publisher's page from unwanted interruptions or threats to the user’s experience, but also gives very limited functionality to the advertiser.

Mainly, iFrames prevent advertisers from making changes to the size and shape of their ad, while also preventing advertisers from tracking viewability metrics. Beyond this, because the ad is trapped within the iFrame, rich media cannot be interacted with when placed inside an iFrame.

To navigate around these limitations, publishers will allow advertisers and ad networks to place JavaScript on their webpage to facilitate ad delivery, interactive media, and viewability tracking. 

Issues with JavaScript

This might sound like a great final solution, but in order to function properly JavaScript reads all the data on a webpage. 

This means they have access to read and potentially steal stored private information (customer emails, credit card numbers, etc.), as well as implement forced redirects or create interactions that break page functionality by making changes to your site's code.

Until SafeFrame, publishers had to simply trust advertisers not implement such malicious code, and distance themselves from the ones who did.

The solution to this was adding API functionality to iFrames, thus creating SafeFrame.

-- Article Continues Below--

New call-to-action

-- Article Continues Below--

API and SafeFrame

API stands for Application Programming Interface and is the software that allows for two applications to talk to each other, and is the backbone of almost all interconnectivity on the internet.

Whenever you text, email, or search online, your message is sent across a secure API between your device and another. 

For example, when you go to check the weather online (either on your phone or desktop), your device sends data (your zip code or geolocation) to the weather group’s data server and requests data (your area's forecast) to be sent back to you.

The way this data is communicated is over an API.

By applying this to an iFrame, SafeFrame has created a secure line of communication between advertisers and publishers, where publishers can control what information is sent to the advertiser.


Problems with SafeFrame

While SafeFrame is an effective solution to protecting your site from malicious advertisers, it still comes with a number of drawbacks.

For instance, viewability metrics still cannot be shared over SafeFrames, and while advertisers are able to manipulate the size and shape of their ads, rich media content can still struggle to load properly.

This leads many publishers to continue to allow advertisers to write JavaScript on their sites.

Not only this, but SafeFrames is roughly 10 years old, and even with its updates is not without vulnerabilities.

The most sophisticated malvertisers are masters of online advertising, and can and will find vulnerabilities in your site to attack your users.

If you want true protection from bad actors, and also be able to offer advertisers rich media ads, viewability metrics, and the ability to customize the size and shape of their ads, partnering with an ad security company is your best bet.

At clean.io, our unique cleanAD script behaviorally catches malicious actors, removing the need for iFrames, SafeFrames, blocklists, and guarantees you protection to any new or current advertising threats.

If you are experiencing a malvertising problem, sign up for our 14-day free trial and watch your site metrics improve and ad revenue increase. 


New call-to-action

Topics:MalvertisingMalvertising 101Digital Engagement Security

Our blog

Where businesses come to learn more about protecting the points of digital engagement with their customers, audiences and users.

Subscribe to Updates