Published 18 years 8 months ago • Last updated March 22, 2025 • ⏱️ < 1 min read
If I was in charge of browser security I would completely remove them, they are just a bad idea, I predict a huge rise of iframe based attacks from browser exploits to CSRF. I know this won't happen because there are too many people who use them and don't understand the security implications.
So I suggest a HTML tag/Attribute to enable/disable the use of a iframe and by default access is not allowed. To enable their use on your site you would have to do the following in your HTML document e.g.
<pre lang="HTML"> <html security="iframe"> </pre>This would allow the iframe on a per page basis and if the security attribute is not present it will not allow the iframe with a error message like "iframe not allowed on this page".