Option for disabling iframes

Today I got a creepy browser-level password prompt while browsing my feeds. Firefox exclaimed that it was from another site, but it was somewhat annoying and alarming to discover that sort of thing could even happen. It was caused by a story having an iframe that contained a link to an image that returned a 401 Unauthorized status with a WWW-authenticate header. This was only possible because the iframe made that image request a same-origin request.

I don’t actually want iframe content to show up in Feed View, and I’d appreciate an option to turn it off. It’s a bit of a security & privacy concern, and I wouldn’t be surprised if it could be a performance issue as well.

1 Like

Let’s see, yep, I have iframes enabled. The reason is that some sites use them to display comments or up to date comment counts or even embeds of images. So I’m not willing to turn it off for this type of issue. There’s really no security issue, though. iframes can’t access any data on the parent. I wish it weren’t so so I could do all sorts of fancy things, but only browser extensions are afforded that level of permissiveness. 

In other words, there’s no security issue with iframes. And because of that I don’t think it’s worthwhile to build a keyword specific option. I like to minimize preferences and this seems like a lopsided compromise.