Hmm... I see what you mean. I serve banners using JS and they don't show up. However, banners that are hard coded do show up.

If the frame is cancelling JS, then I guess a JS framebuster is useless.

Yup, I see it to. It isn't limited to adult sites.

I'd think there would be some way to break frames with php, but for the life of me I can't seem to figure out how. I tried searching all over, but all I can find is the javascript version... which of course, won't work in this case.

Same here. I have a framebuster javascript running along with adsense ads.

Yahoo images doesn't let either run. I'll look for something in PHP. Hopefully there is something out there.

I recently went to php ad rotators instead of javascript because too many browsers have JS blocked. My sites are NOT adult but they are image (photo) rich. This really stinks.

chris

This is the SECURITY attribute [msdn.microsoft.com], in IE6 (and probably IE7), allows you to open a third-party page as if it was within the high-security restricted sites level as defined within IE. This means no Javascript and no ActiveX. Framebusters won't work and there is not a lot you can do server-side to get around this short or banning referrers from Yahoo images.

security="restricted"

is (was) a well-kept secret, and this is very sneaky for Yahoo to be using. If you want to try it, this is the syntax:

<iframe src="http://example.com/" [b]security="restricted"[/b] width="550" height="450"></iframe>

The attribute is meaningless in alternative (non-MS) browsers, and Javascript etc. will function correctly in those browsers, including frame-busting scripts.

Found something I think is interesting.

I'm running a frame breaker. When I first click on one of my images and it loads, the ads and framebreaker are missing. However, when I click on any of the nav links (pages created in frontpage), the framebuster script kicks in and the page busts out of the Yahoo frame.

I have to put this aside for a bit, but I'm thinking that some combo of script/noscript tag combined with a meta-refresh if scripting is turned off will work. The problem is that the meta refresh is a header tag. I have some php scripts such as counter.php that could probably work. I think I might be able to call them as a php include.

My idea is
1. include a script no script tag. Given the frame restrictions, I would think the noscript would kick in
2. Have the noscript run a php script or other refresh that will cause the page to be reloaded. I think that might break out.

Anyway, I'll play with it some more.

I agree it is a sneaky trick by Y. Now that Y let the cat out of the bag all of the other framing sites will include the same security tag.

Anyway, I know I'm rambling a bit. Hopefully this might get other people thinking as to how to beat the tag

Chris

Won't this also disable YPN ads?

they're sending you traffic--it'd be difficult to say theft. Perhaps they feel they want to protect their visitors, as its their brand and referral. To some extent, people have held search engines responsible for the sites they link to (Germany & France restricting sites with Nazi ideology, US requiring DMCAs to be enforced)..maybe this may be an extension of the notion that the search engine needs to be aware of what they are linking to and the effects it may have on the user and their browser. Javascript can be an unwelcoming event if used inappropriately.

Just a correction. It appears that it isn't the framebuster script kicking in when you click on a link in a security=restricted frame. Rather it appears that is the default behavior of the frame when the security=restricted tag is present.

IOW, any click on a link in a security=restricted frame will open in a new unframed window.

I haven't found any way to break out yet, especailly when using frontpage. About the best I've been able to do is put a layer in the noscript section of my framebreaker code. The layer has a message to the effect that if the site is being framed it probably isn't rendering properly, click here to go to the unframed site.

the problem with that is that you will see that message in browsers with JS turned off even if they arent' framed.

Maybe google and the other big ad companies can pressure Microsoft to either eliminate or change the behaviour of that tag. I think it is being abused the way it's used in this situation.

I like it. On Google images I'd see so many pages that would take over the page and send you somewhere else. If this stops javascript while in the frame, no problem. Click on the link and voila, it's there. I'm a publisher and don't like the ads removed, but I understand their goal is to fight popups etc and they aren't depriving publishers of revenue just to be mean or w/ the intent to steal content.

rohitj

If framing with the security=restricted tag remains for images and videos, it probably won't be long before they do the same thing with the web searches. The same argument you presented would still apply

The tag has created a number of issues

Publisher revenues will definitly drop since you lose the first opportunity for a click.

Sites that depended on Javascript or activex for security will now be more vulnerable (although the security should probably have been server side anyway)

The people with the 'made for adsense scraper' mentality will soon find ways to frame content and have their ads appear in their frames while your ads are blocked.

The tag has to be eliminated or modified.

they're sending you traffic--it'd be difficult to say theft. . . . .maybe this may be an extension of the notion that the search engine needs to be aware of what they are linking to and the effects it may have on the user and their browser. Javascript can be an unwelcoming event if used inappropriately

It is an easy way out for Yahoo. They continue to avoid the real issue - And that is that they need to improve the manner in which they qualify sites in their rankings.

If a Yahoo user follows a link from the search results and hits a website that throws up ads or does immediate redirects, it reflects poorly on the website and it is the website owners fault.

If a Yahoo user follows a link from the search results and hits a website that has been disfigured because Yahoo's frame has disabled Javascript, it still reflects poorly on the website, but this time it is Yahoo's fault.

In either case, the user is not going to consider that their bad experience was due to Yahoo.

And, to the argument "They are sending you traffic", what good is it? If I get no revenue from that traffic on my content site and my eCommerce site is degraded to the point of uselessness?

In the end, they are also harming their own utility to the user. The word will slowly spread that Yahoo tends to give search results with links to sites that don't work.

Yahoo should put more effort into pushing poorly behaved sites to the bottom (or out of) of their rankings.

At the risk of offending everyone, I think this is great. Beyond great in fact.

I assume that this will stop lots of annoying pops ups, spyware, re-directions, websites trying to install viruses, etc - making the image search actually safe to use for once - in short making it a million times better than it currently is.

There seems to be webmasters who deliberately make sites to get traffic from Yahoo Images - only to instantly redirect them away to dodgy sites or to install spyware / viruses on a users pc. This should hopefully put an end to that.

This is far, far better for users in my opinion.

If a user wants to use something that requires javascript or active X they can click to visit the uncached version.

Equally if webmasters don't want Yahoo to index images then they can use robots.txt on image folders.

Okay, I feel dumb. I should have looked and read more closely.

So, what the OP means is that the frame holding the page content, the frame that is clearly below the Yahoo frame, and is presented as a preview of the page that holds the original image, has the security tag.

I don't have any problem with that.

This is a blow for CJ affiliates because CJ is in the process of forcing affiliates to go to an all-javascript link format.

I am bothered by another similar problem of unauthorized alteration of content caused by AOL. They sometimes compress JPG images, reducing their quality in order to save bandwidth. The resulting image can look really crappy. If your site has a nice photo gallery this can really ruin the visitor's experience.

is anyone suprised that yahoo is altering webmaster content. Just read this board and read the Yahoo/Overture board and its almost expected.

Imagine Webmasterworld where brett: a. setup an automated post filtering tool that frequently Banned regular/best posters for no rhyme or reason and no answer as to why, b. allowed spammers and completely off-topic posters to post all the time, c. made it as difficult as possible for you to participate with the service. Example, brett, sets a monthly fee for WebmasterWorld was $20 per month, but overnight charges your card $500 because the $20 dollars a month fee is actually just averaged out over 2 years and your charged upfront for the monthly fee. (see overture/yahoo thread for details)

They are by far the most anti-webmaster anti-business friendly company I have ever seen. I feel they should just stop what they're doing at the moment and spend the next 6-12 months trying to repair their services and reputation among webmasters and ppc advertisers. I dont even understand how the management there can see that they have lost market share to google for 9 straight months, lose msn/ppc revenue and still engage in these types of behaviors and just dont seem to get it. Maybe they dont care, or who knows.

I have some sites that rank pretty good in yahoo, and the clicks are suprisingly skimpy at best. Its also a shocker amongst whom i chatter with how far ad-bids have fallen on overture the past 1-2 years on overture.

Search engines are successful from the webmaster community. Not how many ad campaigns, partnerships and deals they make with ebay, the worldcup or whoever. When you engage in such anti-webmaster practices you get the net result, month after month of usage decline and user abandonment. Hopefully someone will get the message over there soon. I'm giving sound advice and i know many who read this are probably nodding their heads in agreement.

I'm a bit slow on the uptake, but why are we just talking about Yahoo? Sure, it ain't very nice for one of the big guns to be outed, but how many other folks are doing this or going to be doing this tomorrow?

What are the real repercussions across the whole 'Net? Instead of scrapers are we now going to have "framers"? And why the heck did MS ever come up with this in the first place?

I don't have any problem with that

But it is a problem when Yahoo takes third-party content, places it in a Yahoo-branded frame under their own domain, and deliberately removes advertising placed by the publisher on the original page for 80%-plus of internet users (those using IE). The original publisher pays for the bandwidth to provide Yahoo with free image and video content on their own domain, but is denied the chance to profit from their work.

A reaction (other than banning Yahoo images) would probably involve server-side scripting to detect referrers from Yahoo images, and the use of the

<noscript></noscript>

element to provide alternative content or non-JS-driven advertising (eg. banners) to those with Javascript forcibly disabled. But it is not always easy to implement complex scripted solutions for many site owners who do not have the technical knowledge.

Hhhhhhhhmmmmmmmmm

I use javascript code to break up emails in bits so scammers can't pick them up. I suppose these aren't working either.

This is huge. I can imagine a LOT of bad actors adopting this fairly quickly.

Just checked my own site in IE, which I don't normally surf with. Turns out the Google Toolbar blocks every link on my page when it's displayed within a Yahoo frame, because they now open in a new window and are thus "pop-ups". Priceless.

I have lots of issues w/ Yahoo but not on this topic. You are pointing the finger in the wrong direction. If you have a problem at all, it should be in the protocol and the browser. Yahoo is using a tag in the spec for the appropriate purpose. And they don't have bad intentions on this one. They are fighting spammers. Why don't you rail against the W3C for coming up with this tag if it's a bad tag? Why don't you rail against the browser(s) that this technique works in? They are the ones making it possible for ALL webmasters to frame content w/o JS. Surely that's a bigger issue than the fact that one particular company is using it.

There are SO MANY examples of bad stuff that huge companies are doing. This one is not worthy of front page status.

This one is not worthy of front page status.

While I agree with you that Y! itself isn't the problem (see my msg 17 above), this issue is definitely worthy of the front page. I'm trying to think of all the implications and, quite frankly, have a pretty boggled mind right now.

I've checked W3C and can't find any mentions of it, so one question: Is this a W3C spec, or did Microsoft initiate this on its own?

And they don't have bad intentions on this one. They are fighting spammers.

So if their intent is noble collateral damage doesn't matter?

I wouldn't be so sure their actions are noble. Yahoo has long been suspected of lowering your ranking if you run Adsense on your page. Their logic? Why should Yahoo send money to Google?

I am running a test right now where I am not showing Adsense to people who are reffered by Yahoo or Yahoo spiders. They all get display advertising. I will let you know if I see a difference in my rankings.

Why don't you rail against the W3C for coming up with this tag if it's a bad tag?

Unless I'm mistaken, Microsoft came up with the attribute, not W3C. That's why it only works in MSIE.

[w3.org ]
I'd rail against MS, but I've been doing that for decades and it's never helped.

I guess that explains why visitors from Yahoo Images don't show up in my JavaScript-based traffic reports.

Solving the problem of Yahoo! altering webmaster content:

User-agent: Slurp
Disallow: /

It's really not that hard, either block Yahoo! completely or stop complaining. Problem solved.

...or if you want a suggestion that's actually helpful, block "User-agent: Yahoo-MMCrawler". That should have a minimal effect on traffic.

[help.yahoo.com ]

If you want to send a clear message, when the page is framed by "http://images.search.yahoo.com/search/images/view" display a different message instead of the page that tells the end user that you don't permit your page to be framed by sites that modify or disable your content, please "CLICK HERE" to see the original page fully functional in a new window.

BTW, my frame buster worked swimmingly in FireFox so I'm only going to do this when IE comes knocking.

I think this is long overdue. I look forward to Google Images implementing it and will be implementing it in the very few places I frame pages.