Disabling iframes doesn’t disable iframes? (IE and Opera)

OK, I’m totally stumped. On my computer (Win7), disabling iframes in IE9 or Opera 10.53 doesn’t actually disable iframes. (I do not know how to disable iframes in Chrome or Safari.)

Firefox does honour the request, but only if I open a new window. (Wish they’d say so somewhere.) Restarting IE or Opera does not make any difference.

See this page that contains the test and explains what I’m trying to do.

Could you please disable iframes in your IE or Opera (instructions on the test page) and do the test? In theory the input field should read No because ... well ... your browser doesn’t support iframes. In practice it reads Yes because even with iframes disabled the browser executes the script in the iframe.

Does anyone know what’s going on? Is this a serious security bug in two browsers or am I overlooking something? (Currently I’m guessing the latter.)


This is the blog of Peter-Paul Koch, web developer, consultant, and trainer. You can also follow him on Twitter or Mastodon.
Atom RSS




Comments are closed.

1 Posted by Patrick H. Lauke on 2 November 2010 | Permalink

Just had confirmation that this is a bug in our current Opera implementation - effectively only the display of the iframe is suppressed, showing the fallback if present, but behind the scenes the iframe still gets loaded/processed.

2 Posted by Jukka T on 2 November 2010 | Permalink

Opera 10.53 is a bit old. You might want to update to at least 10.63. However the problem is present in Opera 11 alpha builds as well.

BTW, In Opera you can do the same thing with site specific preferences. Right click on page -> edit site preferences -> display.

And I think this is the problem: it's under "display", so it's just hiding the element not disabling it. Which means that events will still fire etc. It seems a bit daft, I agree. However, I don't really see it as a security bug. (Not sure about IE). IMHO, it's just stupid behaviour.

Extension/userjs could solve the problem but they would be just hacky workarounds.

Opera guys would probably appreciate if you had time to submit a bug:

3 Posted by Jukka T on 2 November 2010 | Permalink

Ahh, Patrick was quicker. So no need for bug report.

Anyway, hopefully devs will fix it as the current behaviour is indeed confusing.

4 Posted by arty on 2 November 2010 | Permalink

I'm pretty much sure that opera was made this way to keep lots of sites working. If posting comment or uploading photo doesn't work, user would blame opera and not himself for disabling iframes.

5 Posted by Anders Mattson on 2 November 2010 | Permalink

My first guess would be that this is a quick fix by browser vendors to allow users to protect themselves from clickjacking.

6 Posted by Steven Berkovitz on 2 November 2010 | Permalink

For IE, I think you are mis-interpretting the intended behavior of the option.

From what I remember, and some info @ http://support.microsoft.com/kb/232077, it seems this option is intended to prevent iframes from using a file:// URI to execute a local executable, not to disable script in iframes.

Hope this helps.

7 Posted by Wilco Fiers on 3 November 2010 | Permalink

Opera 10.62 is doing the same. Good to know that doesn't protect you from anything at all.

8 Posted by Erik on 4 November 2010 | Permalink

I agree that it's weird that the browsers don't conform to the options but I just have to ask, why would you want to disable iframes?
Wouldn't this break a lot of pages, e.g embedded youtube videos etc?

9 Posted by Chas Boomer on 11 November 2010 | Permalink

This is a VERY annoying quirk! I am trying to find a solution as to why, in IE8 on Windows 7, when I click on a Google result (or I guess directly paste a URL in) and navigate to any page that has iframe advertising, ALL of those advertising pages show up in the "Recent Pages" part of the nav bar. Conversely, clicking the back button makes you go back through EACH AND EVERY iframed advertisement before you get back to the Google results or whatever page you are trying to get back to.

I have my HOSTS file set up to block all of Doubleclick ads and many others (thank you mvps.org for the ad/malware/spam blocking HOSTS file).

I also have my IE8 Security/Privacy set to disable 3rd party cookies and to disable iframes.

However, navigating to your link above, I get the word "Yes" in the input field.

VERY frustrating!

10 Posted by Keith on 28 November 2010 | Permalink

Don't think this setting controls browsing html using an iframe. From the MS website it says:

This option controls whether users can launch programs and files from an IFRAME element (containing a directory or folder reference) in Web pages within the zone. This option has the following settings:

I think the key bit is in the brackets about containing a directory or folder ref.

Found this on an IE6 info page but it's probably the same for later versions - http://www.microsoft.com/windows/ie/ie6/using/howto/security/setup.mspx