Embedding 3rd party sites into your wiki contain 3 risks, that you should be aware of.
- Security Risks – as you pointed out
- Copyright & Legal Risks
- Causing Financial Harm
Add 1) Security Risks
a) Clickjacking & UI Redress Attacks
b) Malicious Redirects of Frame Navigation
c) Browser Exploits & Drive-by Content
d) Information Leakage (if the iframe contains analytics software)
e) Performance and Resource Abuse (eg: Crypto miners)
Many of those risks can be mitigated by using <iframe sandbox>
eg:
-
referrerpolicy="no-referrer"
and others.
- By default deny everything and allow as needed
Add 2) Copyright & Legal Risks
Disclaimer: I am not a lawyer so take the following points with a grain of salt.
a) Embedding ≠ Copying (but still risky)
- When you embed a site via
<iframe>
, you’re not copying or hosting the content — it’s loaded from the third party’s server.
- However, you’re redistributing access to that content within your interface, which can still trigger copyright or terms-of-service violations.
b) Terms of Service (ToS)
- Many sites (e.g., YouTube, Twitter) explicitly allow embedding through official widgets.
- Others prohibit embedding in their ToS, especially for commercial or derivative use.
Use official APIs instead of your own iframe constructions
c) Copyright & “Public Display”
- In some jurisdictions, embedding copyrighted works without authorization can still count as a public communication or performance, especially if the original source was not intended for public embedding.
d) Privacy / GDPR Implications
- Embedding third-party content often loads tracking scripts and cookies (e.g., from Google, Meta, or analytics providers).
- Under GDPR or CCPA, this could make your wiki the data controller responsible for informing users and obtaining consent.
3) Causing Financial Harm
When you embed 3rd party content from a site that is not prepared for it, it’s possible to hit them financially. eg: Small sites may be billed by traffic volume.
-
Bandwidth theft / “hotlinking” Embedding large images, videos, or documents directly from another site.
-
Unintended traffic spikes A popular wiki could cause sudden heavy load on a small external site.