Hacker News new | past | comments | ask | show | jobs | submit login

If you're going to put adverts on your site, always put them within an iframe, pointed at a separate "adverts" only domain. This will ensure they can't execute javascript within your own website context.



Unfortunately it looks like you aren't supposed to do that with Google AdSense: https://support.google.com/adsense/answer/3394713

> Is it violating program policy if I place ads on iframe webpages in my software?

> Yes, it does violate our policies. Firstly, you’re not allowed to place ads in a frame within another page. Exceptions to our policies are permitted only with authorization from Google for the valid use of iframes. Secondly, you’re not allowed to put ads in your software, e.g., if you control both a website with ads and an app that loads that website, we will take action against it.


Yeah adsense is amongst the most restrictive products out there, and the one without any support etc. Wouldn't recommend it.

Talking of which, where are the startups challenging adsense's dominance?


This is a very good tip (for security) and I don't see it used anywhere yet. Should be enforced.


Does it have to have a different domain or would a `src`-less iframe also work? You'd have to write the ad code into the iframe from the outer page, but that's not hard.


On the video, it is mentioned that the advertisements are in a frame.


Is the iframe pointed at a separate domain though? This is crucial to enforce the same origin security within javascript.


You could also make use of the sandbox[0] attribute, but that will really only benefit IE10+ users (and chrome, ff, others.)

[0] https://developer.mozilla.org/en-US/docs/Web/HTML/Element/if...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: