What is SafeFrame and How Does It Help Publishers?

by Andrew Reed, on Sep 16, 2021 9:15:00 AM

Whether you are old or new to online advertising, you have probably noticed that checkbox about serving into a SafeFrame when setting up your ad containers. But have you ever wondered what that means, and it is trying to keep you safe from

Here we are going to break down what web page frames are, and how they leave you vulnerable to malicious advertising attacks. 

And to do that, it is best to start with what an iFrame is in relation to your website and advertising campaign.



All content on your web page is served through what is called the main window. This holds together smaller windows and frames that piece together the overall look and functionality of your website. 

One of these smaller frames is called an Inline Frame, or iFrame, and is an HTML document embedded inside the main window that loads independently from the rest of your webpage and is able to contain elements from different websites other than your own.

They are often used to insert content on a webpage from another source, like YouTube video players or advertisements.

Because the content within the iFrame cannot leave its container, publishers can use them to shape and place ads on their site without them merging into and disrupting their content.

In some cases, the embedded HTML document may also contain JavaScript and/or CSS from the advertiser in order to reshape their advertisement to fit the frame and/or receive information off the webpage.

These scripts most commonly work to track the engagement performance of the advertisement within the frame. But because third-parties are writing JavaScript on your webpage you are innately vulnerable to bad actors looking to abuse your site or steal user information.

Because of this, you should only embed iframes from reliable sources. Otherwise you may be leaving yourself vulnerable to ad attacks and other malicious content.

Another preventative measure is to enable SafeFrame, which allows data collection and communication between advertisers and their publishers without giving them the necessary permissions that allows them to target your site with harmful content.


What is SafeFrame and How Does it Work

In general, because the content within an iFrame is being loaded from the bottom up (that is, from another webpage, into the iFrame, then into the main widow) and not out of the main window itself, the content within the iFrame cannot interact with or change any of the other content on the main window of the your site.

This is a standard security policy of most web browsers that prevents content from two different URLs, or “cross-domain” content, from interacting or interfering with each other.

Meaning any of the CSS/JavaScript an advertiser has placed within its advertisement cannot interact with the rest of your webpage, preventing advertisers from controlling the shape of their ads and tracking its performance.

Publishers generally take two approaches to getting around this. First is by giving advertisers access to their website’s main window, allowing them to add desired JavaScript/CSS without restriction.

But because this basically gives the advertiser the freedom to do whatever they please to your webpage, this is usually reserved for direct buyers that have a trustworthy relationship with the publisher.

The other is to set up a messaging tool between the website and the iFrame, that sends selective information between the website and the advertiser. But this requires extra coding on the side of the publisher that can vary depending on the goals of the advertiser.

Because both these solutions have their drawbacks, and are impractical to most programmatic deals, the IAB created SafeFrame by adding a secure API to iFrame elements. An API being the standard software that allows two applications to communicate with each other.

This protects publishers from malicious code while allowing advertisers to receive their desired information.

-- Article Conitues Below --

complete malvertising resource center ad-- Article Conitues Below --


Benefits of SafeFrame

  • Minimizes Threats of Forced Redirects and Other Malicious Behavior

Bad actors will often hide malicious code in their advertisements, trying to steal valuable information from your site and its users. For example, some bad ads may force users away from your page and bring them to websites looking to steal their information (credit card info, SSN, or just regular browsing data), or may leave a script that will strip this information directly off your site.

Because SafeFrame limits what advertisers can do through the iFrame, you are negating the risks of these kinds of attacks.

  • More Control, Safer Control

Publishers using SafeFrame are given more granular control over what kind of information can be sent between their website and advertisers.

This means you ensure your users about the safety of their private information, and/or tell them what exactly is being shared.

  • Reduced Costs and Energy

Because SafeFrame protects your iFrames automatically, and is updated and administered by IAB, you no longer have to hire a developer to create or maintain messaging channels between you and your advertisers.


Enabling SafeFrames on Google Ads

SafeFrame is either ON or OFF by default depending on the display creative type being used.

Activating SafeFrame for a creative that is intended to serve in a non-SafeFrame page or vice versa may cause rendering issues for the creative. Understand where the creative is intended to serve and set SafeFrame accordingly.

For Custom and third-party creatives, SafeFrame will be on by default. While if you supply your own ad template, or an ad template from your ad network, it will be left off.

If you would like to turn SafeFrame on or off, you can do that by simply selecting or deselecting the “Serve in SafeFrame” option when setting up your ad unit.

serve safeform example


But be wary, turning SafeFrames off for an ad that is intended to be in a SafeFrame, and vice versa, may cause the ad to render incorrectly.

If you are not sure what kind of ads you are serving, you can learn more here


Not a Final Solution

While SafeFrame offers publishers a way to safely communicate data to advertisers, bad actors are still able to find their way around its security features. 

SafeFrame was implemented nearly 10 years ago, giving bad actors plenty of time to learn new ways of attacking your site. Even with its many updates, SafeFrame still leaves you open to attacks.

Partnering with an ad security group will help put a stop to any stubborn bad actors. At clean.io, our innovative behavior based software uniquely blocks malicious ads on runtime, eliminating the need for blocklists while also still allowing ad impressions to fire. This you still get paid for the ads you block.

If you are experiencing harmful attacks from malicious advertisers, you can sign-up for a free trial here.


try cleanad free CTA

Topics:Malvertising 101Malvertising SolutionsAdOps Strategy

Our blog

Where businesses come to learn more about protecting the points of digital engagement with their customers, audiences and users.

Subscribe to Updates