Web browser default settings are key. All major web browsers allow iFrames by default. This leaves it up to the user to either disable iFrames or allow iFrames only for whitelisted URLs. And, while whitelisting URLs minimizes one's exposure to iFrame exploits, legitimate web sites do get hacked.
Ditto for JavaScript.
And the last I checked, Google's Chrome browser did not provide a means for users to either disable or whitelist iFrames. Still true?
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
