Iframes and abuse prevention.

This is impossible to enforce as contents are not visible to parent frames.</p> </blockquote> <p>Only one meta tag per document (Document has a roughly 1:1 relationship with Window), at any one time. </p> <p>The current implementation is a web browser extension which has knowledge of whether the current window is the "top" window. It simply ignores monetization requests in iframes, it doesn't thwart the top level content. </p> <p>This could be better specified.</p> <p>In earlier versions of the spec there was support for <code><iframe allow='monetization'></code> but it was never completely implemented, nor specified in detail, and given it is, as you say, complex, we removed it from the spec until we have a working proof-of-concept. </p> <blockquote> <p>Conversely, if meta tags in iframes are ignored a malicious actor could frame content pages and include a monetization tag in the top frame thus hijacking the payment from the child frame content.</p> </blockquote> <p>I am parsing that as a concern for people putting meta tags on top level pages, then embedding iframes of others content, with the top frame always getting paid. </p> <p>I think you have brought up some good points to ponder here. In the meantime there is X-Frame-Options for child frames wanting to protect their content: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options</a></p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/sublimator"><img src="https://avatars.githubusercontent.com/u/525211?v=4" />sublimator</a> commented <strong> 4 years ago</strong> </div> <div class="markdown-body"> <p>The long scrolling page of collated content is something I've pondered now and then. Do you think simply distributing the revenue equally amongst all frames is fair? It would certainly pass the KISS test. Could the browser detect the content in focus somehow and give it the lion's share ?</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/jpettitt"><img src="https://avatars.githubusercontent.com/u/524856?v=4" />jpettitt</a> commented <strong> 4 years ago</strong> </div> <div class="markdown-body"> <p>Regarding scrolling content, browsers knows what's in viewport. So it ought to be possible to credit frames that are in context. It gets quite complex to do once you have to take into account horizontally scrolling elements like carousels. </p> <p>Video and Audio are a bit easier with the death of flash. It should be possible to identify all video/audio tags and detect which ones are playing. Allowing a monetization http header on the video files would be helpful here.</p> <p>However if you're defining a standard and want browsers to bake it in (presumably the long term goal) it's best to define it how it should work and then make compromises needed to get it to work in the extension for now rather than limiting the standard to what's possible with an extension. Since extensions are disallowed on mobile if this project has any hope of actually achieving product market fit it needs to be baked into browsers.</p> <p>Regarding nested frames I don't think x-frame is really helpful here it's too blunt an instrument. A pair of content security policies that let an iframe disallow monetized parents and a complimentary policy to allow a parent to yield to monetized children in viewport might go a long way to solving it. Although it would have to be designed carefully and there are a lot of edge cases.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/sublimator"><img src="https://avatars.githubusercontent.com/u/525211?v=4" />sublimator</a> commented <strong> 4 years ago</strong> </div> <div class="markdown-body"> <p>Good points! </p> <blockquote> <p>I don't think x-frame is really helpful </p> </blockquote> <p>Temporary :)</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/adrianhopebailie"><img src="https://avatars.githubusercontent.com/u/49902?v=4" />adrianhopebailie</a> commented <strong> 4 years ago</strong> </div> <div class="markdown-body"> <p>Kamino closed and cloned this issue to <a href="https://github.com/interledger/webmonetization.org/issues/28">interledger/webmonetization.org</a></p> </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>

adrianhopebailie / web-monetization

Iframes and abuse prevention. #26

16 and #23 have some discussion of where the `<meta>` tag and `monetization` object should live. The `document` vs `navigator` choice has some implications for abuse prevention.

adrianhopebailie / web-monetization

Iframes and abuse prevention. #26

16 and #23 have some discussion of where the <meta> tag and monetization object should live. The document vs navigator choice has some implications for abuse prevention.

16 and #23 have some discussion of where the `<meta>` tag and `monetization` object should live. The `document` vs `navigator` choice has some implications for abuse prevention.