If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Security considerations and click-jacking
If you own a web site, then you probably know about the X-Frame-option header. This was first introduced in 2009 as a HTTP header. The header can be set by web site owners or web server administrators to define the framing policy. Values of ALLOW-FROM, SAMEORIGIN and DENY could be used to define whether you would allow external sites to frame your site, to allow only specific sites to frame your content or not allow any framing at all. This setting is available on IIS and can be set by the web server administrator.
There have been several instances of fraud reported where in malicious users use inline framing. This is referred to as click-jacking. Frame-sniffing is a term used to describe a malicious user trying to find whether a particular web site allows external sites to frame its content.
As a good practice developers build frame-killers, a small piece of code that prevents your site from being displayed in frames. Save the below as a HTML file and open the file with changes to the source:
If you look at the iframe source it is pointing to mysite.com. For example if you change this to kotak.com you could see that site is visible in a small frame. However if you try to frame their netbanking application at https://www.kotak.com/j1001mp/netapp/MainPage.jsp
it would not allow this window to be iframed.
Similarly if you try one of the ecommerce giants like http://amazon.com
you would see an error that says that "This content cannot be displayed in a frame". To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame.
You can try to open the content in a new window; what this essentially means is that the web site owner has explicitly defined X-frame-option headers or implemented frame-breakers in their application.
Why would inline frames be allowed at all?
Like any option there are advantages as well. For example, online advertisement platforms use iframes to display ads. A lot of cloud-based software-as-a-service (SAAS) applications use iframes to render multiple web applications from a single window. These are all applications hosted on different domains, servers and even the underlying infrastructure could be different. For the end user he or she can access all the web applications from a single browser window without the need to launch multiple applications or login multiple times.
What about cookies?
A HTTP cookie (also called a browser cookie) is a piece of information sent by the web server and saved by the browser. Cookies are generally used to save session information or browsing activity. There are also cookies called tracking cookies that are used to track a user's long term browsing activity. Tracking cookies pose a privacy concern as they are frequently used for ad targeting, studying a user's buying patterns. So when a web site uses iframes to display content from a third party web sites (different from the one being accessed), it also renders cookies that are third party cookies.
Most browsers by default block third party cookies that render the iframe-based web applications unusable. Users would see an error "There were too many redirects" and the iframe content would not be visible in the browser window. If you closely look at the browser you would see that the third party cookies are blocked and when you add the third party site as an exception in the browser it allows seamless access to the framed content.
The Platform for Privacy Preference project (P3P)
P3P is the Microsoft feature for restricting cookies and only the Internet Explorer and Edge browsers are compliant with P3P. P3P user agents can be built into browsers or installed as plugins that can detect the P3P policies and act accordingly. P3P headers are added to declare the intent or policy for cookie usage, They are also used to force the browser to accept the cookie from the framed site.
P3P CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA" is an example of a compact policy that is machine readable. There are several tools available that would generate the compact policy based upon a questionnaire. Questions would be based on your business entity, why the information is collected, who would be the recipient of this information, the retention of collected data and so on.
Browsers like Chrome and Firefox do not use P3P headers for blocking or allowing the use of third party cookies.