iframes are evil

If I was in charge of browser security I would completely remove them, they are just a bad idea, I predict a huge rise of iframe based attacks from browser exploits to CSRF. I know this won’t happen because there are too many people who use them and don’t understand the security implications.

So I suggest a HTML tag/Attribute to enable/disable the use of a iframe and by default access is not allowed. To enable their use on your site you would have to do the following in your HTML document e.g.

<html security="iframe">

This would allow the iframe on a per page basis and if the security attribute is not present it will not allow the iframe with a error message like “iframe not allowed on this page”.

9 Responses to “iframes are evil”

  1. Bipin 3~ Upadhyay writes:

    It’s a strange coincidence (though not such a big one for the world to celebrate :P).
    I had some similar feelings after looking at “several” attacks possible using iframes (including the CSS ones). The most prominent being the recent “Bank Of India” hack, where the attackers used iframes to download malware on the users system (please correct me if I am mistaken).
    I was in fact thinking of initiating a discussion thread on Slackers and….. go the extent of requesting Maone to include an option to disable iframes in NoScript. 🙂
    IMHO, that’s the only way I see currently to save oneself in these CSS and drive-by download attack scenarios.

  2. Gareth Heyes writes:

    Yeah that would be a fantastic feature in noscript, also removing the visited attribute in CSS, window.open etc

  3. Evert writes:

    I’m just waiting for the day when we can include a security profile per site, allowing use to disable javascript altogether, iframes, javascript accessing cookies, etc, etc..

  4. digi7al64 writes:

    the problem with your solution is that if a page is hacked via persistant xss then “” could be overwritten or excluded. What we need is a new document that resides on servers that dictate was rules the browser should follow. similar to
    crossdomain.xml but with more clout




    This way by setting flags for true or false based on the domain you eleminate a lot of the remote inclusions that cause issues

  5. digi7al64 writes:

    oops. forgot to wrap the code




  6. digi7al64 writes:

    meh – sorry but no matter what i do it just doesn’t render right.

    Honestly no offence to yourself Gareth but this sucks, we can post comments that use greater or less then signs. i mean how hard is it to encode em rather then delete them?

  7. Gareth Heyes writes:

    Yeah I know I’m sorry. I didn’t write the code on this blog, I’m gonna sort it out.

  8. Gareth Heyes writes:


    Yeah I wish that would happen sooner rather than later.

  9. Gareth Heyes writes:

    I’m so sorry about the code in comments, I’ve finally taken the time to update my security plugin and encoded the correct characters. You should be able to post code on the blog now without it being stripped out.