Copy link to clipboard
Copied
I don't quite know how to frame this and it may already be answered, if so just link to the answer. I am trying iframes for the first time. Basically most of the pages on my site have a menu at the bottom of the page that points to different pages on my site, and that menu needs to be the same across pages. I currently copy and paste the contents in the window to the next page etc. and that works fine. However I have dozens of pages and changing all of them when I change the contents of the menu is a real PITA. So I created a page with just the contents of the menu. I can create an iframe that shows that menu page without any problems. I made the frame size fit the contents of the menu page. However if it's smaller than the menu page it shows scrollbars. a size that makes one scroll across or down to see the entire contents. I don't want that to happen, and I need it to dynamically change the size to fit the contents of the menu page if that page size changes. I can play with the width and height so that it doesn't scroll, but I don't know how this would be shown in other browsers (it does work on Firefox and IE).
Iframes are an emphatic NO . Security and performance issues aside, iFrames are a last resort for when you absolutely can't do it any other way.
Sever-side Includes are a resounding YES .
Alt-Web Design & Publishing: Server-Side Includes with PHP
Another option is to fetch content with AJAX (asynchronous JavaScript and XML).
Copy link to clipboard
Copied
Don't use iframes, they're really not the right way to do this.
Use some basic Server Side Includes instead, they're far easier and make a lot more sense.
If you have PHP installed on your server (most do) you simply create a small file that holds just the html from your menu (the include file). No <html>, <body> or <head> tags, nothing extra, just the code for the menu. You then call for that file with a small include snippet and the server writes the code from the include file where you place the snippet.
Copy link to clipboard
Copied
Unfortunately I am limited to what I have. A related question while I have your attention. Is there a way to "discover" the size of a page?
Copy link to clipboard
Copied
Iforgot to say that it appears to work just fine.
Copy link to clipboard
Copied
You _can_ do server side includes without changing to a dynamic server-side language like PHP, ASP, ColdFusion, etc. You just create a navigation file, give it an extension of .shtml, and include it across all pages. Change one navigation file, that change appears on all pages that include the navigation file.
https://www.yourhtmlsource.com/sitemanagement/includes.html
Easier to maintain, and most webservers (IIS, Apache, etc.) support it. If your hosting service doesn't support SSI, you should find a new host.
Just my two cents,
V/r,
^ _ ^
Copy link to clipboard
Copied
Iframes are an emphatic NO . Security and performance issues aside, iFrames are a last resort for when you absolutely can't do it any other way.
Sever-side Includes are a resounding YES .
Alt-Web Design & Publishing: Server-Side Includes with PHP
Another option is to fetch content with AJAX (asynchronous JavaScript and XML).
Copy link to clipboard
Copied
https://forums.adobe.com/people/Nancy+OShea a écrit
Iframes are an emphatic NO . Security and performance issues aside, iFrames are a last resort for when you absolutely can't do it any other way.
I'm doing research work on the wrong side of iframes. Could you Nancy, or others who are interested in this subject, give me leads, url, or articles about security issues when using iframes on a page ?
Copy link to clipboard
Copied
I think that you are being mischievous Mr Birnou. You know that iframes are not a security risk unless the content is being served from outside of your control.
Copy link to clipboard
Copied
in fact and without playing on the subtleties of the language, I have often noticed that when someone advise not to use iframes, the implicit message that goes with it concerns security, performance, etc... but no one never explicitly refer to the site that is mirrored in this open frame of the page.
so I'm doing a research work on the wrong side of iframes. an that's why I asked everyone who is interested in this subject, to give me leads, url, or articles about security issues when using iframes on a page ? or any wrong sides of iframe
Copy link to clipboard
Copied
Clickjacking
https://www.owasp.org/index.php/Clickjacking
Cross Frame Scripting
https://www.owasp.org/index.php/Cross_Frame_Scripting
Excerpt from StackOverflow
html - Why are iframes considered dangerous and a security risk? - Stack Overflow
"IFRAME element may be a security risk if any page on your site contains an XSS vulnerability which can be exploited. In that case the attacker can expand the XSS attack to any page within the same domain that can be persuaded to load within an <iframe>
on the page with XSS vulnerability. This is because content from the same origin (same domain) is allowed to access the parent content DOM (practically execute JavaScript in the "host" document). The only real protection methods from this attack is to add HTTP header X-Frame-Options: DENY
and/or always correctly encode all user submitted data (that is, never have an XSS vulnerability on your site - easier said than done)."
Mozilla Developers Network/ Pay close attention to Sandbox and its browser support
<iframe>: The Inline Frame element - HTML: HyperText Markup Language | MDN
Copy link to clipboard
Copied
thank's Nancy for your feedback.
well none of those links indicate that iframe are dangerous, in themselves, to be used in a web site, except if what is linked inside the iframe is something malicious.
As Ben said, it is like linking a malicious script to the page,
by the way, I like the last link which is just MDN encyclopedia... ... I love MDN
so please, let me reformulate my initial question, if someone use iframe where both host page and iframe content are coming from the same domain, (as the OP asked) what are the security and performances issues when using iframes in that case ? (either if SSI is better adapted) or Library item as we are in a DW forum ?
Copy link to clipboard
Copied
And one more option you might want to read about is Dreamweaver's proprietary Templates (DWT files).
How to design web pages based on Dreamweaver templates
Alt-Web Design & Publishing: Working With Dreamweaver Templates (.dwt files)
Copy link to clipboard
Copied
I'm really trying to hold my tongue but it seems like whenever I ask a simple question in this forum I get shot down because I'm "doing it wrong". Some people may want to think of that, I'm sure quite a few people seeking some simple help are also fed up with it. For some of this isn't a way of life, just a way to construct and maintain rudimentary websites.
Copy link to clipboard
Copied
orerockon , I am sorry that you feel that way. Basically, what Nancy has said is correct, you should not be using an iframe for that purpose, server side includes are a much better and safer way to go.
This is not attacking you, it is Nancy's way (and probably that of most advisers in this forum) of helping you. Yes you can use iframes if you prefer that method, but be assured that, aside of the perceived security risks, the implementation will be a lot harder than using SSI.
Birnou, who is an educator, was asking Nancy what proof she has regarding the security risks when using iframes so that he can arm himself when passing the information on to his students.
Because I am of the belief that an iframe is no more of a risk than script or link, I playfully joined the conversation as the devil's advocate, not aimed at you, but at both Birnou and Nancy.
So, for that, I apologise.
Copy link to clipboard
Copied
BenPleysier a écrit
Birnou, who is an educator, was asking Nancy what proof she has regarding the security risks when using iframes so that he can arm himself when passing the information on to his students.
although I have nothing against being an educator... I don't consider myself a educator...
my main professional activity is based either in the development of mobile applications (generally for intranets of assistance companies, in the medical and hospital environment, marine insurance...) or in company support in order to help them set up solutions to manage their data flow...
and it's true that in this case, it can often be likened to training... hence universities have often asked me to intervene as a pro speaker in their amphitheatre... from here to there, video2brain and Adobe then asked me to present some axes of their catalogue and in particular on DW and the technologies that revolve around it.
but I'm not an educator for that...
anyway, quite often students (if we have to call them that way) generally know much more than I do... I just have my own experience to offer them.
in the amphitheatre, there is a desk and bleachers, but that is coming from the old age... quickly you find yourself mixed up in sharing the same passion and debating it (a little like here)... the only difference is between those who live financially from this passion and the others.
Copy link to clipboard
Copied
https://forums.adobe.com/people/B+i+r+n+o+u wrote
... and Adobe then asked me to present some axes of their catalogue and in particular on DW and the technologies that revolve around it.
You may want to rephrase that Birnou.
To me that reads as though Adobe asked you what to get rid of, (axe a feature or program = eol or remove it from current offerings).
Copy link to clipboard
Copied
pziecina a écrit
You may want to rephrase that Birnou.
To me that reads as though Adobe asked you what to get rid of, (axe a feature or program = eol or remove it from current offerings).
well, ... it can be used in both way...
- and Adobe then asked me to present some of the main themes of their catalogue and in particular on DW and the technologies that revolve around it.
but also
-and Adobe then asked me to present some applications from their catalogue and in particular on DW that would be brought to the shelves (but also Dreamweaver, Fireworks, Freehand, Director, Flash, Breeze...).
Copy link to clipboard
Copied
yope, Ben said everything... please don't take any offense, and please, as Ben said, if using an iframe is a way to handle stuff for your problem, go ahead and use it...
personnally when I use an iframe solution it is generally to protect a second delivery server which has to respond to a unique ID (the one from the hosting main page) and in that case I use a reverse proxy server for that purpose.
I share the same point as advocated by Ben, iframe are no more dangerous than a link to a malecious script ... so it all depends on what you're hosting in the iframe