HTML Frames Considered Harmful

DLWormwood writes "Secunia has recently issued yet another advisory about web browser vulnerabilities, this time concerning the use of frames in web pages. Originally discovered to be in Internet Explorer, the security experts apparently worked overtime just to make sure the same "flaw" is found in just about every other browser out there. Doesn't this notice simply complain about a specified design feature of frames? (Note their official "advice": "Do not visit or follow links from untrusted websites.")"

Frames are evil, anyway

Since when was this news?!

Frames are evil. Frames supposedly make the webdesigners job easier, but they cause an increased maintenance overhead. Frames supposedly creates a better interface to a website for the end-user, but they cause severe usability problems.

Its common to see frames abused by newbies in implementing a left-hand menu and top banner layout with the mistaken belief its easier to maintain and makes downloading quicker. There are numerous problems this implementation raises typically related to the paradox it creates.

To make-up for the usability deficiencies, many framed websites use some client-side techniques which cause further maintenance nightmares. There is a definite usability versus maintenance trade-off with frames, which make it a difficult technology to manage well. The alternatives available have none of these drawbacks, thus frames are a sub-optimal, and typically backward solution.

Most of this "usability"-hacking of framed websites results in a complete dependancy on Javascript - another evil. Considering the on-going problems related to Windows lax security model (in the OS, Outlook and Internet Explorer) and the exponential growth of scripted worms and viruses (Melissa, Love Bug, Kornikova, SirCam, Code Red, Code Red II, Code Blue, Nimda), this convinces a greater number of surfers switching off Javascript entirely, which in turn causes a framed and scripted site to die a rather horrible death in the browser.

Re:Frames are evil, anyway

[ericspinder]

the mistaken belief its easier to maintain and makes downloading quicker.

It does make downloading successive pages quicker, but I don't know anybody at 14.4K, so it doesn't make anywhere near the difference that it used to. It helps download speed, if you have rollover image based navigation (really a mistake, but sometimes you don't have a choice). Also, before the ubiquiness of the Application server it was either use JavaScript Objects kept in a hidden frame (or what was later called a 'pop-under') or roll you own CGI session mgmt.

However, you are right bout the need for usuability hacks with frames, just getting the back button to work right is a real pain. But, I disagree about JavaScript being 'Evil', it's a tool which is particularly well suited for client side actions. I have used JavaScript recently to re-order a list rather than redoing the query, it's much faster than any of the alternatives. If you want to surf the net with JavaScipt turned off, that's your business. Now I avoid frames, unless I am told that is how it will be, but JavaScript is still very useful, especially combined with CSS (aka DHTML)

The "lax" windows security model and the viruses you mention may be issues, but they have nothing to do with this issue. It's like saying: "Becuase of the war in Iraq, and the growth of fungus, You should only have salad at McDonalds', because it's better for you, QED."

Re:Frames are evil, anyway

[lphuberdeau]

I have to agree that in common websites, frames are quite useless and ugly. All they really do is make nagivation a hell, but there are situations where frames are useful. I work on internally-used applications which sometimes have a web interface, and the users actually asked to have frames available in some cases. Frames can fill the gap between the usability of a standalone application and flexibility of the web.

It might seem useless, but the simple fact that frames can be resized does suit most needs. Users can decide which section of the content is most useful to them. A common usage is when the users actually need to compare documents. Having both side by side can be nice.

Just imagine Java's documentation without the frameset, it would really be a pain to search in. The class list is very long to load, and I'm quite happy they didn't simply include it in all pages.

Frames are not evil, neither is JavaScript, it just depends on how it's used. Using frames for a menu is not a good thing, and using frames for a banner is simply worst. Those kind of usage really gave frames a bad reputation because they simply reduce the amount of usable space on the monitor. JavaScript used for pop-ups or ugly 'eye-candy' stuff really also is an error, but JavaScript can enable some real dynamism in a form and actually allow to save a lot of time in the processing. Isn't filling country, state and city automatically nice when a user enters a zip code?

There used to be problems with JavaScript and browser compatibility, but it's not that bad anymore. Of course, IE simply won't support everything, but there are always workarounds.

Really, those things are only evil if you're a designer. When you need to build an application that people will actually use and need to be productive, you need to look over those things to see if they could make the entire application better. Just don't abuse.

Re:CSS

[NutscrapeSucks]

This is true for the most part. However sometimes you want content to stay on the page without doing a reload (perhaps there's a long database query or something). In that case frames/iframes are pretty much your only choice.

a null issue

[TheSHAD0W]

There really isn't much difference between a transparent frame with a Java app intercepting access to a legitimate web page, and someone's creating a mock-up of the legitimate page; either way, the only real way to tell is the URL displayed in the address bar. Any real solution for one should work for the other.

Re:Not a bug, a feature

Top Ten Things Sucky Parts of the Web, using the Web-is-like-a-library analogy

• Resize/maximize browser window from JS. When you're reading a book, does it latch on to your face with claws, preventing you from seeing anything else?
  
• Pop-up ads and dialogue boxes. When you open a book, do other books fly off of the shelf and at you, flinging themselves open in the process?
  
• Pop-under ads. When you finish reading a book and close it, does it fling itself back open to a different page?
  
• target=_new. How about those books that hop from table to table, requiring you to chase them?
  
• Bloat. Are books 30-40 lbs. each, having pages measuring several yards across?
  
• Sites relying on nonstandard features. How about those books printed in a five-ink process (four-colors and black, and are only legible if you can distinguish all of those) for those women who have four types of cone cells? Or the books where letters are randomly either red or green, since the author was red/green color-blind?
  
• Rapid-flashing animated images. Epileptics aren't permitted in libraries, after all.
  
• Unexpected animation and interaction (read: abuse of Java and Flash). After all, we're all looking to go to the arcade when we visit the library, right?
  
• Disabled right-click menus. What if some books pounced on you and bit you if you brought them anywhere near a Xerox machine?
  
• Mis-use of the footer-space (where destination of URLs is shown while hovering). Suppose that a large reference book didn't have an index! (I know, this one's a stretch.)
  

I mean, it's obvious that the Web is not identical to a physical library, but it's purported to (at times) be the digital equivalent of one. Additionally, books and libraries have gradually evolved to be fairly efficient (within the constraints of the world around them); it's usually better to try to build off of an existing known working solution than not to (and, yes, I realized the Web has evolved from it's hypertext document origins, but to some extent, page designers are ignoring existing wisdom).