This happens all the time to my app. Our marketing team littered iframes all over our app, but they constantly push broken URLs for the iframe src. So what happens is the iframe defaults to loading the parent frame, which then loads iframes, which fail to load and again load the parent. Repeat.

Ahhh, enterprise software development...

Easy fix- keep marketers away from the innards of the product. If you can’t, try to set a “rule” that if they want to add another iframe/script/whatever, they have to remove another one.

I appreciate that you think I have that kind of power.

I protest with every iframe they add. We have a page that starts with 6 and gets up to 20. It wouldn’t be so bad if they loaded basic html, but they use a WYSIWYG editor which generates tons of SVGs and JavaScript, so it really maims our product.

I work on enterprise software and in my experience what you are describing is not normal. It sounds more like amateur software development masquerading as enterprise software development.

I found myself asking "why" at first. Then remembered we're on HN, and "why not" would be a sufficient answer. Well done!

This SO thread [0] on the subject is interesting as well. I suspect this really has no harmful consequences, most browsers have a max iframe depth, although I don’t know how it varies.

[0] https://stackoverflow.com/questions/14223628/why-does-a-self...

I can “crash” a tab by running an infinite JS loop, or sending a bunch of data. Crashing doesn’t seem like a big deal.

It’s much less of a problem now that all browsers are running each tab in a separate process. It used to be so much worse.

Firefox manages to produce whole browser lag and freezes pretty often. And while it uses multiple processes, it's not using one per tab or origin.

This is delightful, I love it.

I wonder how this method of turning one legitimate request into infinite requests could be used or abused for real world purposes. CPC fraud? DOS attacks? CPU drain? There's no reason that the iframe needs to be visible in the page at all.

I don't think this oddity could be used for any of those things. The pages that you would attack or defraud are not recursively loading themselves in iframes. If you wanted to do any of that you would just load many iframes with the same URL with some meaningless query parameters on it, as from a caching perspective, a URL which differs only by it's query parameters is a different URL.

Haven't there been instances where someone spams an API endpoint that is cpu intensive or in the past before CDNs some large file?

No live demo? or did i skim too badly :) ?

I wanted to see it locally, so I threw this together:

    #!/usr/bin/env python3
    from flask import Flask
    app = Flask(__name__)
    @app.route('/')
    def hello():
        return world("0")
    @app.route('/<depth>')
    def world(depth):
        return f"""
    <head><title>iframe loop</title></head>
    <body><h1>iframe loop</h1>
    <iframe width="800" height="600" src="/{int(depth)+1}"></iframe>
    </body></html>
        """
    if __name__ == '__main__':
        app.run()

I put the Chrome tab out of it's misery after 250 frames, it was really chugging along.

As a JavaScript developer I feel kinda sad when I see how compact and clean such python and ruby examples are. You can shoot a thousand modules in JS and you still never get here.

The by default included http module would let you achieve the same thing. Might be a few lines more, but definitely not 1000 modules more.

Similar example in Node

    const http = require('http');
    const url = require('url');

    http.createServer((req, res) => {
        const queryObject = url.parse(req.url, true).query;

        return res.writeHead(200, {
            'contentType': 'text/html'
        }).end(world(queryObject.depth));
    }).listen(8080);

    function world(depth = 0) {
        return `
            <head><title>iframe loop</title></head>
            <body><h1>iframe loop ${depth}</h1>
            <iframe width="800" height="600" src="/?depth=${parseInt(depth)+1}"></iframe>
            </body></html>
        `;
    }

That's a shame. I was interested in seeing how different browser engines handled it.