Why not to use iframes for embedded dashboards
10 comments
·July 18, 2025bawolff
NoahZuniga
Also clickjacking isn't a security risk for the page embedding the iframe. This shows fundemental misunderstanding.
tasn
Another alternative is loading a library and setting it to a fixed version.
You're still giving a 3rd party full access to your website, but at least it's more auditable and safe.
Fwiw, I think iframes are great!
bawolff
While i agree that is better than nothing, i've always had my doubts about this approach.
Do people really audit such code? I doubt it. Does the code really not insert any additional code that allows bypassing the whole scheme (esp. If the point is to dynamically insert content).
I also think most of the time, the biggest threat is not the vendor being intentionally evil but the vendor making a mistake that leads to XSS which someone else exploits. After all, if the vendor is intentionally being malicious they can probably sneakily bypass this sort of thing.
btbuildem
I keep revisiting this approach over and over again - I don't know, maybe I never learn. I'm not interested in analytics dashboards, my context is more around stringing together prototype/poc services into workflow pipelines. The idea usually is along the lines of "have an orchestrator service that knows what the user is trying to do, and serves a sequence of specific, embedded micro-UIs backed by services that implement each step of the overall process". I can't seem to shake this "do one thing and do it well" unix motto, and keep wanting to bring it over to UX design.
josephcsible
> Your end users expect brand-consistent dashboards that match the host app down to the smallest pixel.
Is that really true? Aren't most end users now used to, e.g., YouTube and Twitter iframes looking exactly the same everywhere, no matter what the surrounding site looks like?
joloooo
We just use Observable Framework https://github.com/observablehq/framework
hbcondo714
FWIW, Observable Framework has iframe embeds too: https://observablehq.com/framework/embeds#iframe-embeds
rohan_
i don't understand this product - i feel like tools like v0 can one-shot an analytics dashboard these days. i do think something like https://upsolve.ai/ provides real value though
msgodel
Oh it's more analytics crap.
> Security teams have raised red flags about iframes for years. Cross-frame scripting, clickjacking, and credential phishing are common exploits, since the frame executes third-party code inside your trusted domain
I would disagree.
Yes iframes have security risks, but they generally pale in comparison to giving some other random site full control of your page, which is the alternative.