> Security teams have raised red flags about iframes for years. Cross-frame scripting, clickjacking, and credential phishing are common exploits, since the frame executes third-party code inside your trusted domain
I would disagree.
Yes iframes have security risks, but they generally pale in comparison to giving some other random site full control of your page, which is the alternative.
tasn•10h ago
Another alternative is loading a library and setting it to a fixed version.
You're still giving a 3rd party full access to your website, but at least it's more auditable and safe.
Fwiw, I think iframes are great!
bawolff•8h ago
While i agree that is better than nothing, i've always had my doubts about this approach.
Do people really audit such code? I doubt it. Does the code really not insert any additional code that allows bypassing the whole scheme (esp. If the point is to dynamically insert content).
I also think most of the time, the biggest threat is not the vendor being intentionally evil but the vendor making a mistake that leads to XSS which someone else exploits. After all, if the vendor is intentionally being malicious they can probably sneakily bypass this sort of thing.
NoahZuniga•7h ago
Also clickjacking isn't a security risk for the page embedding the iframe. This shows fundemental misunderstanding.
johnisgood•5h ago
I have never understood the argument against iframes involving security.
rohan_•12h ago
i don't understand this product - i feel like tools like v0 can one-shot an analytics dashboard these days. i do think something like https://upsolve.ai/ provides real value though
msgodel•11h ago
Oh it's more analytics crap.
josephcsible•11h ago
> Your end users expect brand-consistent dashboards that match the host app down to the smallest pixel.
Is that really true? Aren't most end users now used to, e.g., YouTube and Twitter iframes looking exactly the same everywhere, no matter what the surrounding site looks like?
I keep revisiting this approach over and over again - I don't know, maybe I never learn. I'm not interested in analytics dashboards, my context is more around stringing together prototype/poc services into workflow pipelines. The idea usually is along the lines of "have an orchestrator service that knows what the user is trying to do, and serves a sequence of specific, embedded micro-UIs backed by services that implement each step of the overall process". I can't seem to shake this "do one thing and do it well" unix motto, and keep wanting to bring it over to UX design.
sollewitt•5h ago
I worked on a project exploring this idea and an issue is that while each step in a user journey (get restaurants near me, show me menus, make an order, show me on a map) could invoke a distinct service, provided by different providers that just do that thing well, they all want ownership of the experience and the precious user data and prefer to consume input and render output rather provide output data for others to use - there’s no stdout to pipe. The upshot is apps do everything, which is the opposite of the Unix philosophy.
cududa•6h ago
This is incredible. Thank you so much for making this so I never have to explain this again
aaviator42•4h ago
I think iframes are pretty darn handy and it's really not that hard to leverage their strengths in a secure manner.
bawolff•12h ago
I would disagree.
Yes iframes have security risks, but they generally pale in comparison to giving some other random site full control of your page, which is the alternative.
tasn•10h ago
You're still giving a 3rd party full access to your website, but at least it's more auditable and safe.
Fwiw, I think iframes are great!
bawolff•8h ago
Do people really audit such code? I doubt it. Does the code really not insert any additional code that allows bypassing the whole scheme (esp. If the point is to dynamically insert content).
I also think most of the time, the biggest threat is not the vendor being intentionally evil but the vendor making a mistake that leads to XSS which someone else exploits. After all, if the vendor is intentionally being malicious they can probably sneakily bypass this sort of thing.
NoahZuniga•7h ago
johnisgood•5h ago