SafeFrame is an open-source platform that opens a line of communication between the iFrame-contained ad creative and the publisher page.

What is an iFrame?

An iFrame, or inline frame, is an HTML document that allows you to add content from external sources on your web pages. It’s like an extra window on your webpage that shows an external source within it. 

You can use iFrames for almost anything, such as sharing external images, embedding YouTube videos, hosting online ads, or adding a map on your website’s ‘Contact Us’ page to help potential customers find you. 

iFrames are the only frame allowed in HTML5. 

Many popular sites use iFrames, including the streaming sites Vimeo and YouTube, the photo-hosting site Flickr, and Google Maps. The ads you see on web pages are also usually iFrames. 

iFrame benefits and drawbacks

One of the benefits of an iFrame is that it isolates advertisement code from an ad network like AdSense. This prevents ad content from interacting with your web page’s content and interfering with how everything functions. It also stops advertisements from obtaining sensitive user information. 

That said, these features limit advertising flexibility. For example, the ads can’t dynamically interact with website visitors, and the ad dimensions won’t appear correctly. Collecting performance data and viewability — important metrics for both publishers and advertisers — is also off-limits.

Overcoming iFrame’s limitations

You can overcome iFrame’s limitations by adding JavaScript code within the web page code. JavaScript allows you to resize an iFrame and use interactive ads. Although this may seem like an easy fix, it has its drawbacks. 

Adding JavaScript allows you to read and modify almost anything within the web page. So you have to ensure you don’t unintentionally serve ad content that acts in bad faith, such as collecting sensitive user data. 

From a purely technical aspect, that control can cause unexpected distortion of your page layouts and code issues that can leave the web page, advertisement, or both broken. However, you can address these problems by using publisher-side files (PSFs).

SafeFrame - iFrame

Understanding PSFs

PSFs are custom JavaScript codes that marketers create for use on publisher websites. They control what an iFrame can and can’t access. These files allow rich media ads, preserve your control, and protect sensitive consumer data, such as personal contact information. 

One disadvantage of PSFs is that you’ll be the one to manage and maintain an ever-expanding list of ad-specific pub-side files. The easiest solution to these issues is to use a SafeFrame. 

What is SafeFrame?

SafeFrame is an API-enabled iFrame (where API stands for application programming interface) developed in 2013 by volunteers from 21 Interactive Advertising Bureau (IAB) member companies. 

This open-source platform allows for communication between the ads contained in an iFrame and the publisher page content. It allows digital publishers to maximize their ad revenues without giving up control over their data sharing or web page layouts. 

You can run SafeFrames iFrames on your web pages. When third-party advertisements appear in those iFrames, the API rules make sure you can still control their page layout, data privacy, and user experience. The rules also allow rich interactions between the ad and page content while providing the data you need for campaign measurement and delivery. 

SafeFrame benefits

The SafeFrame protocol gives you all the benefits of a traditional iFrame, which we’ll look at below.

Greater efficiency

By including SafeFrames in each of your ad units, you’re allowing rich interaction while preventing the advertisement code from disrupting the function of the page at the same time. This can help boost your revenue potential while also reducing operational costs, as you don’t need to hire a team of developers to look into and address functionality issues. 

Greater control 

SafeFrame isolates your web page and ad codes, preventing them from interacting with one another. This is what gives you greater control over your page’s layout without worrying about any interference. 

In addition, being API-enabled means SafeFrame can evaluate and determine which information must be accessible to advertisers and third-party vendors. 

Better user protection

Cybercriminals or bad actors usually hide malicious code in their ads, attempting to steal sensitive information from your website and users. For instance, some bad advertisements may force your users away from your web page and bring them to sites intended to steal their information, such as their social security number, credit card details, or just regular browsing data. They may also leave a script that strips this information directly from your website. 

Since SafeFrame limits what you can do through iFrame, you’re preventing the risks of these attacks. 

No mobile redirects

SafeFrames can’t change ad sizes, so advertisements can’t redirect to another web address or URL. Also, there’s a restriction on the flexibility of ads. This can help block malicious advertising (or malvertising) from being distributed from any creatives. 

However, since SafeFrame is relatively new, not all ad networks are compatible with this technology. This means it’s important to always check with your ad network before deploying their creatives in DFP, as Google SafeFrames may block URL transparency, which is a massive issue for many ad networks.

How to enable SafeFrame in Google Ad Manager

To minimize the chance of malicious ads appearing on your webpage, Google recommends activating SafeFrame within Google Ad Manager. This ad management platform allows you to control whether an advertisement is rendered using a SafeFrame for the following types of ad creatives:

  1. Custom creative
  2. Third-party creative
  3. Custom creative templates
  4. Standard creative templates

It’s vital to know the different advertisement creatives before activating SafeFrame, especially given the potential conflicts surrounding unsuitable advertisement content served to a non-SafeFrame web page — and vice versa. 

For custom and third-party creatives, you don’t have to make changes, as SafeFrames are on by default. If you want to disable them, simply check the box. For custom creative and standard creative templates, just follow the same method by disabling/enabling the SafeFrame based on your needs. 

To make sure that advertisement slots can use SafeFrame, open Google Publisher Console and look for “iFrame type”. The ad slot either reads as “SafeFrame” or “none”.

The future of SafeFrame

The IAB Tech Lab went silent for several years after releasing SafeFrame 1.1 in 2014. In the middle of last year, the group released SafeFrame 2.0 — but only for a two-month public consultation. 

Aside from pre-existing benefits, SafeFrame 2.0 would include support for programmatic advertisement. The group also said that although SafeFrame executes after the header bidding process, the wrappers might get rejected due to a lack of support in the programmatic advertising process. 

IAB added that it has been working with programmatic providers to include features in the process that would better communicate the presence of SafeFrames. 

Measurement and MRAID

SafeFrame MRAID measurement

SafeFrame 2.0 may offer replacement measurement features from previous versions. It would come with vendor-specific measurement standards and solutions. 

IAB will also align SafeFrame with MRAID, which stands for Mobile Rich Media Ad Interface Definition — this works across different app environments and mobile operating systems. The goal is to streamline the ad conversion from mobile to web, and vice versa, cutting down on production costs and ad development time. However, this may require IAB to start over, rather than “complete a stop-gap release for SafeFrame”.


In April 2022, IAB released a new initiative known as SHARC, which stands for Secure HTML Ad Rich-media Container. It’s a standardized “safe ad container” API that allows interactive advertisements to be served on the web, mobile applications, and other HTML-enabled environments. The content is in a secure iFrame that prevents the ad from accessing sensitive pages and user information.

For the sell side, SHARC allows publishers to offer rich ad functionality for businesses or brands while safeguarding their properties from the risk of functional errors and data leakage caused by external sources. 

For the buy side, the standardized ad container can be served on any SHARC-enabled medium or platform. This reduces the number of creatives you need to develop for cross-platform campaigns. It simplifies the development of ads, reducing the load on ad servers, cutting down costs, and making it easier to expand campaigns to new channels or platforms. 

SHARC replaces two standards — MRAID for mobile and SafeFrame for the web. It addresses issues that prevented safe ad containers from working on multiple platforms in the past. 

Key takeaways

  • The iFrame is an HTML code that a publisher inserts into their web page code. It can prevent the elements of a website from interacting with other features on the same page. You can use SafeFrame to overcome iFrame restrictions on web page interaction and take full advantage of rich media ads. 
  • SafeFrame allows digital publishers to earn ad revenue without compromising control over web page layouts or losing out on data sharing. 
  • SafeFrame is a big step ahead for digital publishers when it comes to maximizing web page ad revenue. As a publisher, you need to implement protocols yourself. Doing so can open up fresh revenue chances, cut down operational and maintenance costs, and improve your site’s security. 
  • SafeFrame has benefits that can help you work better with the latest ad technology. As a publisher, your primary concern is to provide the best user experience for site visitors and ensure users interact with advertisements — all while keeping personal data secure. 
Get the latest marketing news and expert insights delivered to your inbox