Social applications running on top of a container pose a major security risk for that container. To host the applications, containers essentially need to run third-party code within their pages. This raises the question of how to host applications without introducing a security risk to the users of the social networking container.

There have been numerous efforts to mitigate this concern. Some containers encourage developers to build their applications using a secured subset of HTML and JavaScript functionality, giving the containers assurance that the code they host is safe from potential security problems. Other approaches include the implementation of frontend code rewriters like Caja or ADSafe, which allow the container to rewrite an application’s code to a secured subset of functionality, stripping out any tags or functionality that could be used maliciously. We will explore these technologies more in the upcoming section Securing Applications, and in Chapter 8, which covers secure application development methods.

Despite the number of methods that have been employed to secure applications, iframes remain the most popular for the vast majority of containers. The benefits to using iframes are quite clear: they are easy for containers to implement, and they give application developers maximum functionality with minimal restrictions.

On the other hand, though, the limited restrictions imposed on developers who build their application content within an iframe are also the main drawback to this method. Malicious developers can take advantage of this freedom through a number of well-known iframe exploits, described in the following sections.