113

Looking at options for embedding the 3D Secure page inside my own order form, I came across the following:

"Some commerce sites will devote the full browser page to the authentication rather than using a frame (not necessarily an iFrame, which is a less secure object anyway)."

from http://en.wikipedia.org/wiki/3-D_Secure

Can someone give me the lowdown as to why iframes are less secure, and cause problems, as opposed to normal frames? And what are the basic differences?

The way I see it, iframe is the way to go.

Ripon Al Wasim
  • 36,924
  • 42
  • 155
  • 176
Duncan
  • 10,218
  • 14
  • 64
  • 96

7 Answers7

78

The difference is an iframe is able to "float" within content in a page, that is you can create an html page and position an iframe within it. This allows you to have a page and place another document directly in it. A frameset allows you to split the screen into different pages (horizontally and vertically) and display different documents in each part.

Read IFrames security summary.

alecxe
  • 462,703
  • 120
  • 1,088
  • 1,195
rahul
  • 184,426
  • 49
  • 232
  • 263
  • Doesn't look like those security issues would apply to me, as I'd be directly referencing a secure site (and one that I 100% trust) so don't see how an attacker could sabotage this? – Duncan Jul 03 '09 at 13:40
21

IFrame is just an "internal frame". The reason why it can be considered less secure (than not using any kind of frame at all) is because you can include content that does not originate from your domain.

All this means is that you should trust whatever you include in an iFrame or a regular frame.

Frames and IFrames are equally secure (and insecure if you include content from an untrusted source).

Dan Herbert
  • 99,428
  • 48
  • 189
  • 219
14

iframes are used a lot to include complete pages. When those pages are hosted on another domain you get problems with cross side scripting and stuff. There are ways to fix this.

Frames were used to divide your page into multiple parts (for example, a navigation menu on the left). Using them is no longer recommended.

Eagle-Eye
  • 1,468
  • 2
  • 18
  • 26
Ivo
  • 3,406
  • 4
  • 33
  • 56
  • "Frames are used to divine your page in multiple part. Like for example a menu on the left." The 90's called and whant you back. You should *not* use frames for this. It was common to do that some years ago, but now you should most of the time use serverside includes and css to make your menu. It allows for far greater flexibility on the long run. http://www.velvetblues.com/web-development-blog/why-you-should-not-use-frames-in-your-website/ has some info on the subject. – Esteban Küber Jul 03 '09 at 14:36
  • 16
    I know :) I just wanted to explain where frame "were" used for (100 years ago ;) ) – Ivo Jul 10 '09 at 08:15
11

Basically the difference between <frame> tag and <iframe> tag is :

When we use <frame> tag then the content of a web page constitutes of frames which is created by using <frame> and <frameset> tags only (and <body> tag is not used) as :

<html>
<head>
<title>HTML Frames</title>
</head>
<frameset rows="20%,70%,10%">
   <frame name="top" src="/html/top.html" />
   <frame name="main" src="/html/main.html" />
   <frame name="bottom" src="/html/bottom.html" />
</frameset>
</html>

And when we use <iframe> then the content of web page don't contain frames and content of web page is created by using <body> tag (and <frame> and <frameset> tags are not used) as:

<html>
<head>
<title>HTML Iframes</title>
</head>
<body>
<p>See the video</p>
 <iframe width="854" height="480" src="https://www.youtube.com/embed/2eabXBvw4oI"
    frameborder="0"    allowfullscreen>
  </iframe>
</body>
</html>

So <iframe> just brings some other source's document to a web page. The <iframe> are used to specify inline frames or floating frames. The World Wide Web Consortium (W3C) included the <iframe> feature in HTML 4.01.

<frameset> tags were used to create frames with the tag <frame> whereas <iframe> fulfills functions of both <frame> and <frameset> tags. Unlike <frame> tags, <iframe> tags can also be placed inside the <body> tags.

Placement of <iframe> is easy, a coder can easily put the <iframe> tag among the other webpage tags, and also add several <iframe> tags if he/she wants. On the other hand, placing <frame> tags in <frameset> is bit complicated.

Note : <frame> tag and <frameset> tag are deprecated in HTML5

So now as use of <frame> and <frameset> tag is deprecated so web developers use <body> tag for creating content of a webpage and for embedding some other source's document in the web page <iframe> tags are used. But even <frame> tags were also used to embed other source's document in a webpage and even <iframe> tags are also used to create frames.

Prateek Gupta
  • 2,422
  • 2
  • 16
  • 30
7

The only reasons I can think of are actually in the wiki article you referenced to mention a couple...

"The "Verified by Visa" system has drawn some criticism, since it is hard for users to differentiate between the legitimate Verified by Visa pop-up window or inline frame, and a fraudulent phishing site."

"as of 2008, most web browsers do not provide a simple way to check the security certificate for the contents of an iframe"

If you read the Criticism section in the article it details all the potential security flaws.

Otherwise the only difference is the fact that an IFrame is an inline frame and a Frame is part of a Frameset. Which means more layout problems than anything else!

Greg Bacon
  • 134,834
  • 32
  • 188
  • 245
James
  • 80,725
  • 18
  • 167
  • 237
6

Inline frame is just one "box" and you can place it anywhere on your site. Frames are a bunch of 'boxes' put together to make one site with many pages.

khan iffat
  • 77
  • 1
  • 1
-2

While the security is the same, it may be easier for fraudulent applications to dupe users using an iframe since they have more flexibility regarding where the frame is placed.

user1213898
  • 173
  • 7