Iframes and abuse prevention. #26
Comments
Only one meta tag per document (Document has a roughly 1:1 relationship with Window), at any one time. The current implementation is a web browser extension which has knowledge of whether the current window is the "top" window. It simply ignores monetization requests in iframes, it doesn't thwart the top level content. This could be better specified. In earlier versions of the spec there was support for
I am parsing that as a concern for people putting meta tags on top level pages, then embedding iframes of others content, with the top frame always getting paid. I think you have brought up some good points to ponder here. In the meantime there is X-Frame-Options for child frames wanting to protect their content: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options |
|
The long scrolling page of collated content is something I've pondered now and then. |
|
Regarding scrolling content, browsers knows what's in viewport. So it ought to be possible to credit frames that are in context. It gets quite complex to do once you have to take into account horizontally scrolling elements like carousels. Video and Audio are a bit easier with the death of flash. It should be possible to identify all video/audio tags and detect which ones are playing. Allowing a monetization http header on the video files would be helpful here. However if you're defining a standard and want browsers to bake it in (presumably the long term goal) it's best to define it how it should work and then make compromises needed to get it to work in the extension for now rather than limiting the standard to what's possible with an extension. Since extensions are disallowed on mobile if this project has any hope of actually achieving product market fit it needs to be baked into browsers. Regarding nested frames I don't think x-frame is really helpful here it's too blunt an instrument. A pair of content security policies that let an iframe disallow monetized parents and a complimentary policy to allow a parent to yield to monetized children in viewport might go a long way to solving it. Although it would have to be designed carefully and there are a lot of edge cases. |
|
Good points!
Temporary :) |
|
Kamino closed and cloned this issue to interledger/webmonetization.org |
The spec as drafted has multiple issues related to revenue sharing, fraud, and abuse prevention.
#16 and #23 have some discussion of where the
<meta>tag andmonetizationobject should live. Thedocumentvsnavigatorchoice has some implications for abuse prevention.As written the spec disallows
metatags in iframes. This is impossible to enforce as<iframe>contents are not visible to parent frames. Depending on the, as yet unspecified error handling, an iframe could include a monetizationmetatag and trigger a denial of service on the parent by virtue of having more than one tag.Conversely, if
metatags iniframesare ignored a malicious actor could frame content pages and include a monetization tag in the top frame thus hijacking the payment from the child frame content. This become particularly tricky when dealing with embedded videos where there may be multiple, legitimately monetized child frames on a page.The mechanics of allocating payment between multiple claimants, some legitimate some not are extremely complex. For example a page that collates the best cat videos from YouTube probably deserves some revenue for bringing the audience. While at the same time the embedded videos also deserve revenue to reward the creators. This is currently achieved vi banner and pre roll ads respectively. It's unclear how this can be done within the current spec.
The text was updated successfully, but these errors were encountered: