Is it safe to insert 3rd party elements into your webpage?

As I use MSN Live Messenger at lot it was only natural for me to extend it with the integration to Aardvark. Aardvark is a global service which allows users to ask questions “onto the net” – within 15 minutes you will have an answer given by another human using Aardvark. The answer may not be the ultimate answer, but you get it relative quick and it is not from a computer (or search engine). That is the origin of this article.

Aardvark poked me with a question from Nathan J. Brauer (
”If you embed a 3rd-party shockwave-flash object into your webpage, can it take control of the page?”

The scenario – adding extra value to your website
You have a website and you want to add extra functionality to the page using one of the many widgets, free flash or shockwave elements, javascripts (like Google Maps) or other “out-of-the-box”. You insert the snippet into your own website, adding a “window” to a foreign website. That will make your website look more complete, as now people can get more “value” from a visit to your site! That is cool!

The downside – If you choose to embed it directly on your page
I am not an security expert but my personal experience working with the internet since 1995, and knowledge about what is possible in a browser told me this:

  1. Components might “sniff” information from the “mother” page and send log it.
    If your choose to embed something from a foreign site it will be able to send information back to the site of the component. You can imagine that things like values from elements in FORMs on your page might be of interest of “bad 3rd party site”.
  2. Components might change content on the page
    As the page is part of the DOM of your website the component can do anything on the loaded page! For instance it might change all links to go through a “proxy” site allowing it to track clicks from your page. The uses might never discover that anything is “wrong” as a click will end on the expected page, though the user will have gone through a foreign sight leaving footprints and information there…

A soulution the the potential security risc: Use IFRAMES!
Now, here is where Aardvark came to great use! As you remember it was actually a question which I was given by Nathan J. Brauer ( I send out my knowledge to Nathan, and indeed I got something back!

Nathan had talked to others (on the Aardvark net) and someone had the great simple soloution to embed 3rd party components using the IFRAME tag! That way the component will have limited access to the DOM of your page! The problem solved!

Join Aardvark! Be a part of a global problem solving network!
So I can only advice you to join Aardvark! I got the above knowledge this time and had a great dialog with Nathan! I now know just a litle more about Vietnam, Korean Soap Operas, Nathans mother-in-law and – yet all this makes me smile (That is a good thing!).


One thought on “Is it safe to insert 3rd party elements into your webpage?

Leave a Reply