Free Trial

SafeFrame 101: Everything You Need to Know About the Syndicated Security Tool (and more)

Read the full report below or enter your email to download the PDF.

ecomm marketing guide thumbnail

About This Guide

Protecting your website from malvertisers and bad ads is crucial to user experience, site metrics, and overall ad yield. And while the malvertising ecosystem is vast and complex, there are DIY solutions that offer reasonable protection from basic malvertising attacks.

If you are publishing over Google AdSense or Ad Manager, many of these security features come with the platform. This includes SafeFrame, a secure API enabled iFrame that allows secure communication between an advertiser’s ad, and the website they are publishing on.

But even with this type of security, there are still vulnerabilities that sophisticated bad actors are able to exploit, and will be able to use to redirect users, steal private information, or serve intentionally deceitful content with malicious JavaScript.

------ article continues below------

What is SafeFrame?

SafeFrame containers are a special type of iFrame that is used to protect online advertising publishers’ websites from malicious advertising, while still allowing for some customization and communication between the publisher and advertiser.

This is made possible by enabling a secure API to the iFrame, giving limited communication between domains without compromising the publisher's webpage.

Sound a bit confusing? Let's break it down, starting with iFrames


All content on your web page is served through what is called the main window. This holds together smaller windows and frames that piece together the overall look and functionality of your website. 

One of these smaller frames is called an “Inline Frame”, or iFrame, and is an HTML document embedded inside the main window that loads independently from the rest of your webpage. These frames usually contain elements from websites other than your own.factinate-iframe-example

iFrames are most often used to insert content on a webpage from another source, like YouTube video players or advertisements.

Thus, iFrames essentially work as windows to other web pages’ content.

iframes web page content example

Because the same-origin policy (which protects content from different domains from interacting with each other) prevents content within the iFrame from leaving its container (the code that defines the boundaries - or “frame” - within with the content is displayed), publishers can use iFrames to shape and place ads on their site without them merging into and disrupting their content.

These frames are intended for use in protecting publisher websites but come with a number of drawbacks for advertisers. This is because iFrames also prevent data and metrics from being shared between the publisher’s page and the advertiser.

A common remedy to this issue is to grant advertisers full access to the publisher’s page, allowing them to insert JavaScript that can track users and deliver ads consisting of interactive, rich media.

The danger inherent in this approach is that allowing unknown advertisers access to your page means giving them access to affect it any way they choose - meaning they can disrupt content, implement redirects, share harmful ads, or install malware onto users' devices.

Because of this threat, it’s important that publishers understand when it is safe to allow advertisers access, and when to implement iFrames.

iFrames vs Friendly iFrames

Depending on the type of ad and your relationship with the advertiser, you can choose between highly restrictive frames versus “friendly” frames that allow them access to edit your site’s main page.

Each of these comes with its benefits and limitations, and knowing the difference between them can help you decide which you are comfortable with when partnering with a variety of advertisers.

  • Friendly iframe or “same-domain iframe”: A friendly frame is an iFrame that shares the same domain as the main page on which it is hosted. Sharing a domain allows the ad content to “break out” of the iFrame and manipulate content on the publisher’s page.

This allows advertisers to implement custom tracking information to gain a better understanding of their ad performance.

It also provides advertisers the ability to share rich, interactive ads that “break out” of frames, such as takeover ads and other pop-ups, that often gain higher viewability and click-through rates.

The downside is that friendly frames give advertisers the ability to insert JavaScript that is potentially harmful to your site and your users.

Because of this, friendly iFrames should be reserved for advertisers with whom you have a direct and/or trusted relationship.

  • Unfriendly iFrame, or “cross-domain iFrame”: An Unfriendly iFrame pulls advertisements hosted under a different domain into a publisher’s domain using the iFrame tag. Due to limitations imposed by the “same-domain policy”, the content within a cross-domain iFrame is unable to interact with the site it is being hosted on.

    This protects the publisher’s page from unwanted, malicious behavior from third-party JavaScript, but also restricts the publisher from reporting important metrics to advertisers (like viewability, the size of the ad unit, interactive media, and basic performance metrics).

    Cross-domain iframes are typically used for display ads that do not contain rich media and are implemented when using programmatic advertising; or when the advertiser is unknown and does not require data from the publisher’s site.

Both options are viable in their own unique situations, but what happens when unknown advertisers need to size their ads and require viewability metrics from your webpage?

This is where SafeFrame comes in.

What is SafeFrame and How Does it Work?

In general, because the content within an iFrame is being loaded from the bottom up (that is, from another domain, into the iFrame, then into the main window) and not out of the main window itself (or the same domain as the publisher page), the content within the iFrame cannot interact with, or change, any of the other content on the main window of your site.

This is a standard security policy of most web browsers that prevents content from two different URLs, or “cross-domain” content, from interacting or interfering with each other.

What this means for you as a publisher is that any of the CSS/JavaScript an advertiser has placed within an iFrame cannot interact with the rest of your webpage, thus preventing advertisers from controlling the shape of their ads and tracking their performance.

As we have mentioned, publishers generally take two approaches to get around this. The first, and most risky,  involves giving advertisers access to the website’s main window, allowing them to add their desired JavaScript/CSS without restriction.

Because this basically gives the advertiser the freedom to do whatever they please to your webpage, this approach should be reserved for direct buyers with whom you as a publisher have a trustworthy relationship.

The other is to set up a messaging tool between the website and the iFrame, that sends selective information between the website and the advertiser. This requires extra coding on the side of the publisher that can vary in complexity depending on the goals of the advertiser.

Because both these solutions have their drawbacks and are impractical to most programmatic deals, the IAB created SafeFrame by adding a secure API to iFrame elements.

API stands for Application Programming Interface and is the software that allows for two applications to talk to each other, as well as the backbone of almost all interconnectivity on the internet.

Whenever you text, email, or search online, your message is sent across a secure API between your device and the device, website, platform, or program with which it is communicating. 

For example, when you go to check the weather online (either on your phone or desktop), your device sends data (your zip code or geolocation) to the weather app’s data server and requests data (your area's forecast) to be sent back to you.

The way this data is communicated is over an API.

By applying this to an iFrame, SafeFrame has created a secure line of communication between advertisers and publishers, where publishers can control what information is sent to the advertiser.

This protects publishers - ad their end-users - from malicious code while allowing advertisers to receive their desired information, but it’s still not without risk.

Benefits of SafeFrame

SafeFrame is a common and effective way to protect publisher websites from basic malvertising attacks, and its most important benefits include:

  • Minimizes Forced Redirects and Other Malicious Behavior

Bad actors will often hide malicious code in their advertisements, trying to steal valuable information from your site and its users. For example, some bad ads may force users away from your page and bring them to websites looking to steal their information (credit card info, SSN, or just regular browsing data), or may leave a script that will scrape this information directly off your site.

Because SafeFrame limits what advertisers can do through the iFrame, it negates many of the risks associated with these kinds of attacks.

  • More Control, Safer Control

Publishers using SafeFrame are given more granular control over what kinds of information can be sent between their website and advertisers.

This allows publishers to provide their users with specific assurances about the safety of their private information, and/or tell them what exactly is being shared.

  • Reduced Costs and Energy

Because SafeFrame protects iFrames automatically and is updated and administered by the Interactive Advertising Bureau (IAB), it means that publishers who use it no longer have to hire a developer to create or maintain messaging channels between them and their advertisers.

Drawbacks of SafeFrame

While SafeFrame sounds like an effective way to prevent malvertising, it still has a number of drawbacks that can leave you vulnerable to sophisticated malvertising attacks.

Browsers will often have vulnerabilities that allow attackers to escape the SafeFrame and inject malicious JavaScript into your site. This is accomplished through cross-site scripting attacks that allow attacks to work around the same-origin policy. 

These vulnerabilities can lie unpatched for extended periods of time, and even when a browser update patches the issue, users aren’t always reliable when it comes to updating their tech. Once vulnerabilities get patched, it is only a matter of time before bad actors find another hole to go through.

Stripped-down mobile browsers may also lack the features required for SafeFrames to work, or have other security vulnerabilities that make it easier to bypass SafeFrames.

And finally, SafeFrame does not directly report viewability metrics. The API only allows for access to information the advertiser can use to determine whether or not the SafeFrame container is "in view."

This may be acceptable information for some advertisers, but those looking for detailed reporting will find it lacking.

What is Googlesyndication SafeFrame?

Googlesyndication SafeFrame is a term seen in a common pop-up that occurs in scenarios where programmatic advertising involves SafeFrame integration.

Although the name may appear in what seems to be potentially harmful or dangerous pop-up ads and redirects, Google Syndication is not itself dangerous and shouldn’t be treated like a virus.

allow downloads safeframe example

Google Syndication is simply a Google-owned domain that is used to serve and track ads and other content on web pages through the iFrames on your website.

In this case, is simply the URL from which Google Adsense loads its creatives. If you are experiencing problems with ads on your site, it is likely that Googlesyndication is not to blame, but rather the result of a bad ad being served through the Adsense network.

Is SafeFrame 2.0 Enough To Protect My Site?

The IAB works consistently to improve advertising standards and SafeFrame is no exception. The main focus of SafeFrames 2.0 was to align with new technologies and online trends that have appeared in the 6-year gap since the original release of SafeFrames. 

Most notably, SafeFrame 2.0 allows integration with other common advertising tools and platforms such as header bidding, Prebid, MRAID (Mobile Rich media Ad Interaction Definition), and shifts towards mobile advertising, while also allowing for simpler customization options since the release of IAB’s Open Measurements For The Web.

And while increases in security are mentioned as one of the goals of the update, the software still handles protection in the same manner, meaning the same vulnerabilities remain.

Cross-site scripting and other advanced forms of malvertising make it possible for bad actors to escape a browser’s sandboxing environment that SafeFame utilizes, allowing for the delivery of malicious payloads onto your webpages.

Once these bad ads are delivered, they will work to redirect users, scrape user data, and otherwise harm your user experience. And keeping a safe space for your audience to enjoy your content is not only important to your overall security, but also to your reputation.

Frustrated users will view your site as a threat, and begin avoiding your content altogether, throwing a wrench in your site metrics and ad yield.

Time and resources will then be wasted as you are forced to manually track down and block harmful URLs, which bad actors will easily swap out and use to continue serving harmful ads.

SafeFrame is a helpful tool that any online publisher might consider using to combat malvertising, but it should be viewed as a baseline, DIY solution that requires additional and more advanced tools to be layered on top to effectively protect your site.

What To Do When Bad Ads Get Past Your SafeFrame Containers

If you have decided to keep your security limited to just SafeFrame and iFrames, it’s important to recognize that you will still be vulnerable to malvertising attacks that can put your users at risk and damage your reputation.

Keeping a sharp eye on your metrics will be the best way to discover when an ad has gotten by SafeFrame and escaped its container.

When this happens, users will either be directed off your site or bounce off it in frustration or fear of malware from unwanted pop-ups or other otherwise upsetting or unwanted advertisements.

Once this has happened, take the time to “mystery shop your website” by going on the front end of your webpage and engaging with the content there. Once you’ve rooted out the harmful ad, take the URL and add it to your block list.

You may also check your Google Analytics, paired with your site metrics, to track what ads are being served when, and analyze that alongside spikes in your bounce rates.

This can be an effective short-term strategy, but will only act as a band-aid solution to what is, in reality, a far more persistent problem.

Not only will you spend countless hours tracking down harmful advertisements, but once they are added to your blocklist, advertisers can quickly change their URLs to circumvent blocking and continue attacking your site.

If you’re struggling to keep up with malvertisers, and are watching your site metrics and ad revenue plummet due to harmful ads, teaming up with an ad security company is the quickest and most effective way to solve the problem, once and for all.

SafeFrame Container vs. cleanAD

SafeFrame is a common DIY malvertising prevention solution, but it is not a full proof cure. While it has the capability to protect your site from basic malvertising attacks, it limits your interaction with advertisers and still leaves you vulnerable to more sophisticated types of attacks.

In this sense, it may seem like SafeFrame’s free integration with Google Adsense makes it a “cost-effective” treatment for malvertising, in reality, you will end up paying more in manpower and time tracking down bad ads and adding them to your blocklists.

An ad security solution will not only free up your time to focus on expanding your publishing business, but it will also make your website a more lucrative place to advertise by protecting your site metrics and preventing steep drop-offs in traffic.

But ironically, many ad security solutions rely on the same blocklisting technology provided to you through Google, meaning unmarked advertisers are still able to attack your site.

And even when these bad actors are inevitably blocked, they can still change or obscure their URLs through dynamic cloaking techniques to sneak by blocklists.

Sites that experience revenue loss at the hands of bad ads need a proactive approach to their security, something only offered by cleanAD.

cleanAD is able to uniquely identify malvertisers behaviorally, based on key signatures shared between attacks.

This means even as attackers attempt to change or cloak their techniques, you remain protected from their harmful ads.

Not only this, but because these signatures are detected in real-time, you still get paid for ad impressions. This protects your ad revenue while creating a financial disincentive for malvertisers attacking your page, who are now paying for ad impressions without luring in victims to their scams and malware.

If you are struggling with malicious ads, and are interested in what we can do for your site metrics and overall ad yield, you can sign up for a 14-day free trial here.


Download this Guide