21Oca
Why are iframes allowed by default?
Clickjacking is still very possible in 2024, because iframe embedding is allowed by default. Why is this the case?
In 2013 there was a question about why iframes exist at all (Why are iframes allowed at all in modern browsers?), which is outdated (it heavily reference Flash, Java Applets, and extols the benefits of using iframes for single domain sites as an alternative to AJAX).
However, EVEN assuming all the justifications for iframes from 2013 still hold up today, this does not explain why iframes aren't disallow by default (with CSP or X-Frame-Options being used to allow them when necessary).
