Disable DFP iframes to acces parent window - iframe

I am having some troubles with malicious ads that show interstitials with no close button.
Inspecting the code, I found that DFP uses <iframe> tags to load the ads, but as the content of those iframes are loaded using Javascript (using iframe's document.write(), without src attribute), they get full access to parent window through window.top and window.top.document, allowing advertisers to inject code, show malicious ads and even stole data such as user emails and passwords.
In order to prevent this, I'm looking for a way to block DFP ads to access the main window. Is it possible?

Consider using SafeFrames rather than Friendly Iframes you appear to be using. Quoting from DFP's help page on the subject:
We recommend using SafeFrames and creatives compatible with SafeFrame for expansion instead of friendly iframes. SafeFrame is supported in DFP and enabled by default when using GPT tags. It enables transparent and rich interactions between page content and ads, while preventing external access to sensitive data and providing more granular control over which creatives are rendered

I think you use synchronous rendering, try to change it to asynchronous
https://support.google.com/dfp_premium/answer/183282?hl=en

Related

GTM - add an embedded youtube livestream iframe from GTM to specific pages

I am solving the issue where I would like to add a youtube live stream (via iframe probably or something) to specific pages on my website. Ideally with possibilities to turn it on, force it start on special time etc.
So if there are pages like
www.mypage.com/page1
www.mypage.com/page2WithIframe
www.mypage.com/anotherPageWithIframe
I would like to specify that on pages /page2WithIframe and /anotherPageWithIframe user will see an iframe of youtube live stream in the bottom right corner with possibility to close it (or minimalize it).
I know this could be easily done in website code, but I wonder if there is any possibility how to configure this feature only via GTM (assuming there is GTM which I can control without any limits)

Adding Custom Popups using google tag manager

When a user lands on a page, I want to show a custom HTML popup. I have Google Tag Manager integrated with the website.
Can this HTML Popup be shown using Google Tag Manager? (script and code to be inserted using Google Tag Manager)
Is it frowned upon / not advised to use google tag manager for
anything apart from tracking?
1.) Yes - GTM is pure Javascript, and inserts Javascript into the page code, so anything you can do you can do via GTM. There are some minor caveats (e.g. a size restriction on custom HTML tags), but doing a popup should work just fine.
2.) There are certain use cases that are discouraged - Google recommends against (or at least used to) making visible changes to the page markup via GTM. The problems with that are that GTM is loaded asynchronously, so you would not know at which point the changes show up and you might get "flickering" pages, and a possible performance impact when you force the page to re-render.
Nothing of this applies to popups, so you should be fine (although using popups these days might have its own problems, but these are not related to GTM).
Personally I would recommend against implementing popups via GTM if the popup is an integral part of your page; splitting up an application between page code and GTM code will sooner or later confuse a developer. But if this is just advertising or a call to action or something similar then (IMO) using GTM is not a problem at all.

Load iframe on specific domains only

I want to allow some websites to embed an iframe with a page from my domain. However, I don't want anybody to be able to use the iframe content without my permissions. How can I allow only domains of my choice to be able to embed the iframe with the page's content?
I know vimeo does this, and allows video owners to block the video on certain websites that they don't find appropriate.
I want server side ASP.NET solution, because Javascript code can be altered. However if it can be done using javascript code and its secure, It's ok.
From what I've seen, I need to pass the referrer in some way, but in a way that can be manually altered by other website owners to include the iframe themselves and it would work on their website too, without a permission.
Since it will be a standalone page as you mentioned in the comments, you can do this by inspecting the referer property.
Request.UrlReferrer
See that it contains the domain that you want to allow. This property is available when an embedder puts your page in the IFRAME's SRC attribute and the page loads for the first time.
If the user clicks on a link inside the IFRAME, it is not guaranteed to pass the containing page as a referrer.
If you want to allow multiple linked pages inside the IFRAME to allow a specific domain, then you will need to stick to a JavaScript based solution.
Note however that neither method is completely foolproof.

Using Javascript to get around SEO concerns

I would like to know at which stage is it okay to start manipulating HTML elements/content using Javascript so as not to impair SEO?
I have read somewhere that HTML content that is hidden using the CSS property display:none is often penalized by Google crawlers, with good reason from what I'm led to believe...I ask this as I intend to have some div panels that are initially hidden, but shown once the user clicks on an appropriate link. My intention is therefore not to hide content from users entirely - just intially to give them a better user experience - I'm afraid Google may not see it that way!
My reason for doing this is to prevent the split second (or in some cases, a full 2 seconds) of ghastly unstyled html elements (positioning), before my Javascript comes in to position, hide and neaten everything up. So adding the display:none at the forefront, and then using Javascript to toggle visibility would have been ideal, but is apparently a no-no with Google Search Engine bot.
Do you experts have any advice? Thank you!
google can now crawl AJAX sites using a simple URL substitution trick; you might be able to take advantage of this to let googlebot see a plain html version of the page for indexing instead of your load-optimized page; see http://code.google.com/web/ajaxcrawling/docs/getting-started.html
If the content in question exists on the page in the html, and is accessible to the user by the time the page finishes loading initially, then you are okay. You want to make sure google can lead a user to your page and see the content in question without requiring further interaction. Adding new content to the html after the initial load (i.e. content from the server), can be problematic for SEO. However if all content is in the html by the end of the page load, then you shouldn't get docked. Keep in mind, good SEO strategy dictates using standard methods of usability so the web crawler can access your content.
Also, each page should follow a content theme. Example: Don't abuse users by hiding five different unrelated blocks of content "medical devices, kazoos, best diners, motorcycles, toxic waste" on one page. Theoretically you could take all of your site's content and lay it out on one page using javascript and 'display:none' waiting for an 'onClick', but that smells like spam.
EDIT, additional info as pertaining to the original question:
The search engine friendly way to display content dynamically is to load it, then hide it from the user.

Is it advisable to load display advertising in an iframe?

Some display advertising campaigns are very JavaScript heavy and it has a jarring effect on page load time because the ad is generally inline JavaScript - the useful parts of the page doesn't render until the ad did its thing.
A solution seems to be to load the ad in an iframe in order to display useful content to a user while the ad loads in the background and "snaps into place" when it is ready.
I've been told a number of drawbacks of an iframe approach:
You are limited in the types of campaigns you can host - for example, no expanding ads that roll over content.
If you have multiple ad units on one page you can't have combined campaigns.
Advertisers avoid iframes because it is easier to game the system with false impressions
Are these real concerns? If so, are there any workarounds or should I keep display ads on page?
In my experience we have not had any problems with placing display advertising in IFRAMEs.
We still have ads that display
expanding content over the rest of
the page. For this to work, it
requires the company delivering the
creative to support "iframe busting"
which does require you to host a
special file on your web server.
Pointroll, Eyewonder and the like
support this. The actual calls to the
ad network (doubleclick in our case)
don't change really. Note that we have a policy of allowing expandable IFRAME content only on user-click; perhaps that is a key factor that enables this technique.
I'm not sure
what a "combined campaign" but I'm
not sure how it'd be impacted. Our calls to Doubleclick don't change - all the same parameters are supported in terms of identifying the site, zone, location, size, tile etc.
We moved to an IFRAME model from Javascript mostly for the freebie "asynchronous" aspect of IFRAME loading and also because it acts as a sandbox; we found cases where faulty ad creative could overwrite our whole DOM and blow up the page on certain browsers.
There are now techniques that can be used to load content via Javascript and still be asynchronous (XHR injection) but its not for the faint-of-heart and is likely to be incompatible with ad serving anyway due to the need to serve content off the same domain.
Note that moving to IFRAMEs won't reduce page load time as measured by any kind of browser plugin, but it will at least background-load the ads meaning the browser won't halt rendering for the Javascript. We've also experimented with techniques that utilize Javascript to defer the enabling of the IFRAME src parameter until a time that we're ready to let the Ads start downloading (for example, after the above-the-fold parts of the page have rendered). However, its a fine balance between showing the paying Ad content and your page's main content.
Those are valid concerns. I would also add that:
When search engines find the advertisement, they will add them to their database as separate web pages, i.e. the link in the search results will be to the ad page (iframe), not to the page that contains the iframe.
It is more difficult for users with limited accessibility to navigate to the ads and click on their links. For example, if the user has keyboard access only.

Resources