Skip to content

Really Understanding iFrames

November 6, 2011

The release of the IAB Ad Verification Guidelines draft for public comment this week has helped shine light on nested iFrames and how they affect ad measurement and accountability.

IAB press release states:

“Nested iFrames are often recognized as legitimate technology, but the limited visibility around what is served into these iFrames can cause ad serving issues to go undetected. For that reason, ad verification vendors should have procedures to classify and report the extent to which advertising served into iFrames from other domains has been appropriately executed. In addition, the general nature of the verification tools used to view iFrame content should be disclosed. Moreover, it is recommended that the use of nested iFrames is minimized.”

This is progress, because on the front lines I see many claims of iFrame see through rates accompanied by simple diagrams that don’t tell the whole story.

In our studies we see nested iFrames, where they are hosted and their dimensions.  We felt compelled to not only really understand iFrames, but also make diagrams that really show what they are about.

The following post is a little bit technical, but I myself am not an engineer and I can get my head around this and if I can most likely anyone can!

Why should we really understand iFrames you ask?

Well, really understanding the nature of iFrames is the key to knowing whether your ads delivered were actually viewable, where they were delivered, or if the impression was the result of intentional fraud.

How iFrames behave are actually based on rules implemented in all commercial browsers that were created by the W3C Consortium.

The content of an iFrame element is defined by URL in “src” parameter.  In accordance with the Same-Origin Policy of the W3C Consortium commercial browsers treat content loaded inside an iFrame differently than content loaded in the main browser window in two ways:

  1. If the iFrame URL and parent window URL belong to the same domain there are no restrictions on the communication between the iFrame script and the parent document (where the iFrame was placed)
  2. If the iFrame URL and parent window URL belong to different domains, browsers prevent the iFrame script from having access to the main window document. This means that the whatever is inside the iFrame cannot see where it has been placed and confirm that the ad was viewable.

So, by W3 Consortium regulations, rules prevent the measurement of the main page when an ad delivery tag is placed on a document inside an iFrame of a different domain.

There are a number of security reasons why these regulations are applied which are detailed in the Browser Security Handbook, part 2.

“In theory, the model seems simple and robust enough to ensure proper separation between unrelated pages, and serve as a method for sandboxing potentially un-trusted or risky content within a particular domain; upon closer inspection, quite a few drawbacks arise.”

In essence, the practice of using iFrames of a different domain in online advertising has been reasoned to protect web pages from content that they do not trust.  Many ads delivered to nested iFrames are in fact legitimate and appear to viewers.  However, the actual result of the practice of using iFrames of this nature is to hinder the measurement of actual ad delivery and to open online advertising measurement to a variety of impression fraud methods that have dramatically compromised the accuracy of impression measurement today.

To use an analogy, imagine you buy a painting from an artist through an auction service and the auction service delivers the painting to a gallery to be displayed.  Then you say, “Where is this gallery? I want to go and see the painting I bought.”  The artist replies, “Well the auction service sent the painting to a gallery, but the security is so tight that you can’t go to the gallery the painting was delivered to.  But don’t worry, it is there.”  So now you have to trust that your painting is displayed at this gallery.  Which may be fine.  But then you learn that there are a number of bad galleries that are used by the auction service that don’t hang the paintings at all.  Some paintings go to galleries that were not agreed upon and sometimes paintings don’t even get delivered.  How would you feel?

Below are detailed diagrams of different iFrame configuration possibilities.   You can click on each image to expand it to a legible size.

1) In the first example a document is not used in the iFrame.  This type of iFrame placement is transparent, and ad delivery, viewablity and view time can be measured.

2) In this type of iFrame configuration there is a document. This document is of the same domain as the parent document. This type of iFrame placement is also transparent, and ad delivery, viewablity and view time can be measured.

3) In this diagram the document placed inside the iFrame is of a different domain as the web page document (parent document).  Now communication is cut off from between the iFrame and the parent document and the iFrame is considered “nested” or “blind.”  The ad rendering in the iFrame can be measured, as well as the iFrame size.  If the ad is actually on a legitimate web page, the web page URL and the location of the ad on the web page, or whether it is in view or in focus is not measurable.

4) In this diagram the iFrame is of a smaller size then the ad content itself.  In this case a 1X1 or 0X0 pixel.  This is one of the ways nested iFrames are abused by bad players.  The viewer see nothing, yet an impression is measured for any ad tag called by the invisible iFrame.

5) In the following diagram a document is placed behind the invisible 0X0 blind iFrame that calls an ad measures impressions for multiple ads on a document, never to be seen by a viewer.

6) This diagram shows how if a 0X0 size blind iFrame is placed anywhere in the “daisy chain” other players in the chain are affected.

7) In this case a document is placed in an blind iFrame of the correct size to display an ad, but then that iFrame is placed behind an invisible 0X0 blind iFrame.

So why does the issue with blind iFrames have to be resolved?  There are a number of reasons.  For one there is a huge problem with the point of transaction and delivery.   The way ad exchanges work now, an impression becomes available for billing, a bidder is selected, the impression is bought and paid for, then the ad file makes the journey through the exchange.  The exchange is essentially a black hole, where the ad enters, and potentially comes out the other side on an actual web page, but since one side can’t see the other, whether the ad actually gets there is an unknown.   This means that the delivery of the product bought is not reportable.

Now one may even question the legality of such a transaction.  Imagine people buying, say stereo speakers on ebay, paying for them, but having absolutely no record if they arrived. I am not a lawyer, but, for example, in The Fair Credit Billing Act (FCBA), “Charges for goods and services you didn’t accept or weren’t delivered as agreed upon,” is on list of dispute rules for credit cards.

The limitations fostered by blind iFrames, for obvious reasons, are also a great barrier to the accuracy of audience buying models and the quest for reach, frequency and GRP, not to mention the commoditization of ad impressions.  Even post impression activity is negatively affected by the problem, because all of the impressions that aren’t delivered or viewed are factored into reports bringing down any measurement of this nature.

The real irony here is that in spite of the blind nature of many online advertising transactions, sellers call themselves “Transparent.”  I’ve had ad networks say to me, “I know exactly where all of my ads are delivered to, we select sites from a drop down menu so I know.  It is completely transparent!”  Then I say “Well you do select from a drop down, but do you know the ad actually got to that web page for every impression you bought?”  Well, they don’t.  And viewable impression data shows that in fact a significant number of these impressions purchased don’t actually show up anywhere.

Again, we are not saying that all ads bought in blind environments aren’t delivered or appear; many do. However, many also don’t.  And here is why: (also, many other posts on this blog delve deeper into this subject.)

Abandonment.   When a viewer calls a web page the auction starts for the available impressions on that page, all the bids are analyzed, then a decision is made, then the ad begins it’s journey from the ad server to the page, loads and renders.  The assumption is that the ad space is a constant and will remain there for as long as necessary to render the ad purchased.  Unfortunately this is not always the case.  In fact viewers will often close or leave the page before the ad even gets there.

Non-Human agents and devices that don’t render ads.   Unfortunately, the web is crawling with, well, “crawlers.”  And these non-human agents all render web pages and call ads.  In addition, the number of mobile devices and apps that can’t render ads are exploding.

Suspicious activity.   In essence, the practice of using iFrames of a  different domain in online advertising has been reasoned to protect web pages  from content that they do not trust.  The  actual result of the practice of using iFrames of this nature is to open online  advertising measurement to a variety of impression fraud methods that have  dramatically compromised the accuracy of impression measurement today.

Blind Iframes are extremely vulnerable to fraud, since they can be any size, including 1X1 or 0X0 pixels and can be  activated even they are not on a web page and there is no way for any  technology to see communicate with the parent document to confirm the iFrame is  not in another iFrame, or even on a web page.

Documents can be hidden behind these iFrames that may have any number of ads or ad tracking pixels placed in them.

In addition, it can be argued that this type of ad placement is not IAB compliant because there is no way to ascertain if the iFrame is actually on a web page.

Below is an excerpt from the IAB Ad Impression guidelines:

1. A valid ad impression may only be counted when an ad counter receives and  responds to an HTTP request for a tracking asset from a client. The count must happen after the  initiation of retrieval of underlying page content. Permissible  implementation techniques include (but are not limited to) HTTP requests   generated by <IMG>, <IFRAME>, or <SCRIPT SRC>.

If the underlying page content, is not seen or discernible, then, well one just does not know where that iFrame, nor a tracking asset within the iFrame, was initiated from.

Live Sample

Below is a sample of a live implementation of  blind iFrames which utilizes a number of the “suspicious” iFrame  configurations described above and that we have seen in the field.

This configuration produces nine impressions in total, while displaying only one ad that can be actually be seen.

Click the links to see each layer  rendered.  “Top Level 5,” displays one ad (the only ad the viewer would  see in this configuration) while creating impressions or all of the ads placed  on the other levels.

When clicking on any level other than Top  Level 5, keep in mind the ads you see would actually not be seen by the viewer,  since the pages are hidden within the Top Level 5 page.

In reality any number of impressions could be created this way with one page rendering.

Top Level 5: One ad

Level 4: One ad + 1 x 1 iFrame with Level
Three loaded in

Level 3: Level One + Level Two + two more ads

Level 3: Level One + one more ad

Bottom Level 1: three ads

If this kind of configuration is made possible by the existence of blind iFrames then, well, we have a problem.  The good news is there are solutions.

Next:  Which players in the online advertising landscape are using nested iFrames; and how we can overcome the limitations of nested iFrames.

Tutalage, iFrame diagrams and live sample provided by Nikolai Mentchoukov.

About these ads
One Comment leave one →
  1. October 1, 2012 9:59 pm

    Reblogged this on GirlyTechStuff.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: