Beware: the internet is watching you

We've another web plaything to launch today - Googly Eyes. Drag an eye ball (ew!) from the top-left-hand corner of the screen, and once you release it, a new one will appear, where the old one used to be. Move the mouse, and both pupils will follow your mouse cursor. If Gerard Butler ain't your thing (really? What's wrong with you?), then type a new URL in the box in the top right, and hit enter.

Right: now you know how to use it, let me explain why the User Experience is so terrible. And why this is a good thing.

You might notice that you need to click twice on the pictures of Gerard Butler's beautiful face, before it fills the screen with awesome. And once you've done this, the eyes will refuse to follow the mouse, until you happen to move the cursor over one. This is because the Bing! image result page is running in an iframe. And communication between one domain ( and another ( is Not A Good Idea.

Here's the crude, cartoon version of how it went down. In the wild-west days of the Internet, anything went. Web browsers would allow any old data to pass through them. Then popups happened, and users got a bit miffed. Browsers started locking down what we call the sandbox, to mitigate the effects of malicious code. And communicating between two domains through the web browser basically doesn't work anymore.

This also included the mouse movements. Unfortunately, the eyeballs need to know where your mouse is, so they can follow it. And as soon as your focus shifts to Bing!, they have no idea where the mouse is. They don't even know that it's gone (because that's another bit of information they might exploit). This means that a banner ad in an iframe can't track where you're clicking, unless you happen to be over it.

You might be wondering why I didn't point the page at Facebook, or even some random image search on Google Images. Both those sites use X-Frame options, which tell the browser not to honour the request, if the page will load inside an iframe. This is more secure than using JavaScript to break out of iframes.

This didn't stop my nephews from clicking around it for a good hour. This search, strangely, produced the most laughter.

Photo of Mr. Gerard Butler: Siebbi ( [CC BY 3.0 (], via Wikimedia Commons.