Amazon iFrames

[LucB]

My ZoneAlarm firewall seems to block Amazon iFrames (at least partially). It
concerns iFrames which contain the "Multiple Product Display Centre",
allowing Amazon Associates to earn money by channeling traffic to Amazon.
Do those iFrames represent a security breach of some kind?

[Frisco]

In article <V2M6e.62873$Kl5.4577340@phobos.telenet-ops.be>, LucB says...
> My ZoneAlarm firewall seems to block Amazon iFrames (at least partially). It
> concerns iFrames which contain the "Multiple Product Display Centre",
> allowing Amazon Associates to earn money by channeling traffic to Amazon.
> Do those iFrames represent a security breach of some kind?

Absolutely!

While in concept, when Microsoft "developed" iFrames, they were a good and
useful idea. In practice they are exploited as serious security holes.
iFrames automatically navigate you to a site (possibly NOT the same site
you knowingly navigated to), and run whatever script or page is located
there. In turn, that "other" site can also use iFrames, which take you to
yet more sites, running scripts, loading activeX, installing browser
extensions and doing all kinds of mean, nasty, ugly things (to quote Arlo
Guthry).

All this, and you didn't even know you were doing it. All you did was go
to a site by following a link or typing in the URL, and you actually wind
up accessing far, far more than the one site you wanted to go to.

iFrame exploitation is notoriously used to load spyware (record your
surfing habits, where you visit, what time of day, things you buy, etc.).
It is further used, quite frequently, to load pop-up software, fetching
ads from wherever it choses, and having no relation to your current
browsing session.

I have an opinion on iFrames as to whether they should be supported in ANY
browser, and whether any web site ought to code pages that make use of
them. I'll be you can get what the opinion is.

If you just gotta use a web site uses iFrames, and you just gotta use the
iFrame itself (can't use the site without also using the iFrame), then add
the site to your trusted sites, or put it in a bypass list, or otherwise
manually configure it according to however ZoneAlarm will let you.

But don't make a habit of it. Just because you go to a site that uses
them, and it just happens to be a well-known commercial site, is no
justification for labeling such a site a "trusted" site. Banks and
financial institutions, probably. Booksellers, probably NOT. While they
may not intentionally try to load crap onto your system, they MAY (and
usually DO) link to 3rd-party sites through their iFrames. Do you trust
the 3rd party? Do you even know who the 3rd party IS, before actually
allowing the iFrame to load? I thought not. So be careful. Just because
you may trust Amazon.com, it doesn't follow that you should trust anything
at all in an iFrame, now or in the future, because you have no idea where
that iFrame is pointing to.

Bear in mind that not all browsers support iFrames. For those that don't,
there's gotta be another way for them to get to the content that Amazon
wants to make available. Perhaps a link in the page or the menu tabs. So
even if your browser supports iFrames, you should be able to get to the
same content in the same manner as browsers that don't support iFrames.
The chances that you're "missing" some sort of "really swift and neato"
information from a commercial site are minimal; they'll make sure you have
a way to get to the information, whether your browser supports iFrames or
not. If you're at an amateur site, leave them some feedback to let them
know they've locked-out a tons of visitors by using iFrames, give them a
chance to make changes, then take a look again in a week or two.

If you don't wish to spend time looking at html source and figuring out
whether an iFrame on any given page is OK to load, then follow this rule
of thumb: DON'T EVER ACCEPT THE LOADING OF IFRAMES FROM ANY PAGE. If the
page won't work without it, then you probably don't need to be there
anyway. Use Google or AltaVista or Yahoo to find yourself another site
with the same information.

Cheers!
Frisco