Preventing Malware With SafeFrames: Pros & Cons

Publishers today understand that clicking on a redirect is digital quicksand and today, the most popular DIY trick for publishers to secure ad slots is Safeframe containers.

Publishers have tried to remedy forced redirects and malvertising by implementing DIY solutions, including adjusting price floors, and asking their adops ops teams to manually track down malicious sources. These solutions are often slow, resource-heavy, or ultimately ineffective.

For more than half a decade, SafeFrames have been an ad security staple of the digital media industry. Developed by the IAB through industry-wide input, designed for scalability and efficiency, SafeFrame technology tightened up vulnerabilities in ad slots that malvertisers and scammers have long used to launch attacks on unsuspecting users.

This guide will dig into SafeFrame containers and explore the pros and cons of implementing SafeFrame to control ad behavior and fight against forced redirects and malvertising.

Q. For starters, What are Iframes?
A. Iframes have been chiefly known to prevent a site’s elements from interacting with other elements present on the same page. Technically, iFrames are mini HTML tags that act as a container and are used to embed an ad on a web page. An Iframe is like a window placed on websites with a clear view of the content produced by an advertiser or network, providing very inflexible advertising. When an ad is placed inside an iFrame, the ad stays inside the boundaries and doesn’t interact with the other elements of the particular page.

Q. What are the limitations of Iframes?
A. Though Iframes protects publishers ad content, they bring security risks galore, limit ads’ capabilities, and inhibit the implementation of rich media ads. And not to mention, while it offers a dedicated space for ads, the advertiser cannot make changes to the shape and size of the Iframe. Iframes also prevent the ad from collecting data for viewability and other performance metrics — data that advertisers require, and that publishers can use to determine the value of their inventory. 

Q. Is a Safeframe the same thing as an iframe?
A. No. A Safeframe lives inside the iframe and provides more secure display advertising on a publisher’s sites. A SafeFrame is an API-enabled iframe that opens a unified communication path between ads’ content and page content. While the iFrame creates the container around the ads’ content, API enables the rich interaction between the ad and the served content on the web page.

Q. Who’s responsible for implementing Safeframe containers?
A. The publisher implements the SafeFrame container in most interactive advertising models, but a third party such as an ad server or verification vendor may also host the SafeFrame for a publisher page upon agreement from the publisher.

Q. How do Safeframe containers benefit the publisher?
A. Safeframe benefits the publisher’s side in three central ways: User Protection, Publisher Control and Efficiency. Today, SafeFrames are not only advisable — they should be considered essential for ad security.

SafeFrame 1.0 allows for page/ad content interaction and gives publishers more control over that interaction. The publisher can, for example, make decisions about acceptable ad expansions, or about what page data the creative code can access. The publisher can prevent third parties from accessing users’ personal information — form data, passwords, banking data, credit card information and other sensitive details.

SafeFrames even allow publishers to decide what page data can be seen by which advertisers or vendor partners. In short, SafeFrames provide security to publishers and their users, and prevents ad interactions from breaking the page. These measures save publishers money and time they would otherwise need to devote to the ops team’s manual efforts. 

Q. Are there drawbacks to SafeFrame 1.0?

A. SafeFrame 1.0 has some limitations – most importantly, It didn’t report viewability measurements. And while it standardized rich media formats so they can run anywhere SafeFrame is supported, the publisher still had to modify their GPT (Google Publisher Tags) to enable ad expansions, and SafeFrame was not supported in mobile apps. (It was supported on mobile web, though.)

Q.What is Safeframe 2.0?
A. SafeFrame 2.0 aims to remedy 1.0’s frequent inability to support header bidding tech. It’s designed to align with MRAID, to support all HTML ads on mobile and web alike. It supports ad expansions across current formats, without prior “knowledge” of the ad’s final dimensions, which vary by browser and device.

At the same time, the IAB decided SafeFrame no longer needs to enable measurement — the IAB Open Measurement SDK is positioned to do the job itself. SafeFrame continues to play a key part in accessing data about ad performance and user experience.

In SafeFrame 2.0, the IAB promises

• Added security for publishers- greater separation of publisher code and ad code. 
• Privacy for users- publishers can honor users’ privacy settings when they decide what data they share with partners.
• More ad ops efficiencies- fewer broken pages to troubleshoot. 

The new version of SafeFrame is also meant to better align with browser features like sandboxing, the intersection observer, and feature policy — features that remove functionalities from SafeFrame that already exist in popular browsers. In fact, with version 2.0, the IAB recommends those three aforementioned features, to build on SafeFrame capabilities without additionally straining its API.

Q.What is Sandboxing?

A.SafeFrames are actually a form of sandbox — one developed by the IAB as a scalable solution. DIY sandboxing, by comparison, is far more stringent on its own, unless the publisher customizes the code. In fact, it’s so strict that it often demands customization, or else it becomes a blunt tool.

Sandboxing prevents malicious code in an ad creative from simulating a real user’s click, or from forcing a refresh of the main page or signaling a new window to open — among other ways malvertisers can force a redirect. 

Q. How does Safeframe increase user privacy?
A. As aforementioned, while Safeframe shares information with ad content served to its API-enabled iframe, the publisher chooses what to share and can protect sensitive consumer information like personal email addresses, passwords, or even banking information.

Q. How does SafeFrame increase publisher control and efficiency?
A.Safeframe isolates publishers’ webpage code and ad code that helps maintain control over the page’s layout and restricts the interference from the ads. Meanwhile, the API-enabled SafeFrame also provides the ability to decide which information should be accessible for the buyers or third-party vendors.

With the implementation of SafeFrame, publisher’s can allow rich interaction from ads served to an iframe while maintaining control that prevents ad code from breaking page function. Also, enabling rich media inventory within SafeFrame containers keeps operational costs under control.

Q.Is Safeframe compatible with all demand?

A. Yes. To work in a SafeFrame, ad code needs modification. SafeFrames are not compatible with all demand and using them can impact performance. DSPs often require data from publishers that they can’t access through SafeFramed ads. The creative code might need to be modified by the advertiser or their partners in order to load or render properly in SafeFrames.

Q. Are SafeFrame containers secure?
A. SafeFrame establishes a foundation for more secure and transparent transactions between ad content and page content, however, ad security tools should be implemented to ensure malicious, non-compliant, or spammy ads are never served on your site.

Q. Will SafeFrame containers rid my site of mobile redirects?
A. No. As with all DIY security tools, SafeFrame containers have their drawbacks. In this case, those drawbacks limit it’s effectiveness particularly as a total threat prevention solution.

Q. Are SafeFrame containers a substitute for ad security and verification solutions?
A. No. SafeFrames are a great, base-level security tool, but shouldn’t be used in place of an ad security vendor. Addressing the breadth and complexity of malvertising threats in the programmatic ecosystem is not part of SafeFrame tech’s core capability, and SafeFrames are not a substitute for verification or security tools.

SafeFrames should be considered a baseline part of a publisher’s security strategy — which means they work best when the publisher and their partners can expand on that strategy as needed.

Ad security and quality solutions are far better suited to prevent not only malicious ads (beyond redirects alone), but also non-compliant and otherwise low-quality ads.

Q.What are the implications of disabling Safeframe? 

A. While SafeFrames have their limitations, disabling them invites a host of other problems. With SafeFrames disabled, an advertiser may need to rely on JavaScript in order to change the iframe’s dimensions and serve a rich media ad.

But JavaScript comes with its own security issues, including the fact that it can read publisher and user data from the page — including PII — which places the user at considerable risk.

JavaScript from an advertiser or vendor also has the capability to call JavaScript from a malicious third party — either intentionally, or as a result of bad actors undermining a well-intentioned JavaScript tracker.

JavaScript can also cause page latency — poor user experience that can cause the user to bounce or end a session prematurely, preventing the publisher from monetizing a full session. A publisher in this position must truly trust their vendors — which limits the demand partners they can work with. 

Q. How can publishers gauge the effectiveness of their current ad security tool? 

A. As sophisticated as malvertisers and scammers have become, it’s often extremely difficult for a publisher to realize their SafeFrames and sandboxes are no longer cutting it until it’s too late. Here are some signs publishers can watch for to recognize it’s time to move beyond DIY solutions: 

1. User complaints. While this may go without saying — users are often quick to speak up when they’ve been served redirects, or observed sketchy or off-brand ads on a publisher’s site — it’s important to monitor social media and not just the customer support line. Many users take aim at business on social media and in attempts to “shame” the business into a quick response. 

2. Spikes in bounce rate, or decreases in session length. Redirects are often launched early in the user’s session. Check your site analytics. If there is a swift deviation to established patterns of the amount of time users spend on the site, don’t assume all of those users have left the site “early” on their own free will.

3. Decrease in overall monetization. This can indicate fewer visitors to the site than usual, shorter sessions, less overall traffic — all signs that there may be unwelcome activity on your site deterring users from enjoying full sessions, or from returning to the site again after a bad experience.

4. Increase in page load time. This is not a sign that your site has been attacked by malvertisers, but a sign of latency — a common side effect of SafeFrames. Slow load times can cause users to bounce, or encourage them to navigate away before finishing the content they’re reading or viewing.

That leads to a loss of revenue the publisher could easily have earned if the page and ad content loaded quickly. And users have high expectations: 47% of users expect a page to load in two seconds or less. Quality publishers deserve security solutions that don’t diminish page/ad performance and overall revenue.

5. Inability to deliver viewability measurements and other KPIs to partners. This is also not a sign of an attack, but a sign DIY security tools are not allowing advertisers to see the true value of your inventory. As bad actors grow more sophisticated, and publishers continue to rely on an array of demand partners to optimize revenue, simply disabling SafeFrames and sandboxing is not a good option. If your advertisers are not able to measure their campaigns accurately, your inventory and your site overall will lose value.

Q. What is the best long-term solution?
A. It’s short-sighted to think of SafeFrames and DIY security work-arounds as cost-savers. They may require little to no extra money upfront, but many publishers agree that partnering with a trustworthy security vendor is nothing compared to the loss of traffic, lifetime users and revenue that results from redirects and other malicious attacks through under-secured ad slots.

Real-time detection and blocking of any malicious ads, and airtight QA automation, is the only surefire ad security strategy for publishers. These methods pinpoint known threats in the ecosystem, identify new threats, and prevent the clean-up that follows an attack.

Q. What does an ad quality partner mean for me?
A.  Strong ad quality protection allows you to: 

• Ensure a positive user experience
•  Optimize ad revenue without comprising ad quality
• Maximize ad ops efficiency

Real-time protection keeps you focused on publishing and optimizing your revenue.

Without an ad security and quality solution, the first sign of a problem is often a user complaint. Frustrated user complaints rarely contain enough information to track down fraudsters– this alone can be an impossible task, often leaving a publisher fumbling in the dark, and even trying to trigger the ad for themselves. 

Between IAB, Google, and DIY solutions for preventing redirects and other malvertising attacks, publishers don’t have a clear holistic solution. SafeFrames may be safer than no SafeFrames, but they’re designed for the broadest adoption possible, and even the IAB recommends augmenting them with sandboxes.

Google sets recommendations and requirements in Ad Manager, but opting into additional Ad Manager protections is up to the publisher and the advertiser — and bad actors will obviously never opt in. Sandboxing requires added time and effort from the ops team to avoid harming ad functionality and performance — and it doesn’t even prevent malvertising attacks like cryptomining or ad stuffing. 

Real-time monitoring and blocking, directly helps publishers improve KPIs, increase the lifetime value of their audiences, add any demand partners they want, set the floors they need, and grow their overall revenue.

Keeping malvertisers away from publishers’ inventory calls for vigilance–  meaning proactive solutions for unpredictable and real-time attacks.

Is your site getting hit with mobile redirects and other fraudulent demand? Drop us a line