I've been doing a bit of research, though Scratch suggests using <iframe> tag to embed your projects. Even Turbowarp.org suggest using <iframe> tag to embed your Scratch projects. But my research suggests that using iframe has potential security risks. So, shouldn't there be an alternative method instead? Or does using any kind of embed tag have similar security risks?

There seems to be 2 more alternatives to iframe. The 2 being the <embed> tag, or the <object> tag.
Whether these have the same risks as iframe or not, I am unsure of. So that is why I am asking about this. Have they considered any alternatives? Or is it just the same amount of risks using the other tags to embed your Scratch Projects?

How does an iframe have security risks? An iframe just embeds a website within another website. Please tell me your research…

Google “iframe security risk”, and it's literally should be one of the top links.

While true that it's loading a page in another window on your page, and the info pages I came across say how 3rd parties could inject suspicious code, so your page becomes vulnerable to cross-site attacks.

In other words, it sounds like someone could just change what the iframe loads, and make it into something else instead of the intended design?

Are you sure these risks apply to scratch? The embeds don't have login fields. Also Scratch isn't malicious.

Yea I know Scratch is (supposedly) safe.

But the articles about using iframes itself to embed stuff “could” be risky. The issue was if you embed your scratch project with iframe, there's a chance someone, or something can change that into something else, maybe?

But you would still have to login to the phishing, you never would on a real embed.

I don’t think it’s possible in any standard browser to inject anything through and into iframes. If it was, that would be the browser’s fault. It’s not possible to defend against that kind of stuff easily, which is why it is the responsibility of the web browser creators to keep different websites from connecting like that.

supernavo wrote:

But you would still have to login to the phishing, you never would on a real embed.

I’m pretty sure embeds are already logged in, if you’re logged in.

If it's phishing, you won't be logged in.

No, the embeds that Scratch supports does not pose a security risk to the regular average user.

MaterArc wrote:

No, the embeds that Scratch supports does not pose a security risk to the regular average user.

It's possible that someone could hijack the button. Not every website has full proof secure code.

I thought iframes are only potentially dangerous if you don't sandbox them properly.

You can sandbox them, and you only embed the project, not the website. Don't browsers prevent running JS into an iframe?