> Iframe is a security trainwreck

That seems like it should be relatively fixable. For example, iframes could be visible, clearly marked (including the URL), and sandboxed like any separate page. One could go further by insisting that they are display-only and can only be displayed rather than interacted with. Then an iframe would basically be a glorified jpg with a URL.

Then you need to kiss embedded video players and login/auth widgets goodbye, which are like 95%[1] of what iframes are used for outside ads.

But if you just want to embed completely static article, I suppose it could work, but then there’s no incentive for anyone to allow them.

[1] Yes, I pulled that number out of my ____.

"Deep Rectal Extraction"

X-Frame-Options should fix it now? If a server sets that header, the browser shouldn't show it in a frame. But of course, the server has to be set up properly.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-...

Edit: looks like Safari, IE, and Edge don't check all ancestors which is a potential flaw. Chrome and Firefox do though.

Yes, except some pages are designed to be embedded (like the Google login widget in the linked article), and those may still be vulnerable to clickjacking. If your page isn’t explicitly designed to be embedded then at least SAMEORIGIN is basically a must. In fact most run of the mill security checkers would warn you if you don’t prevent cross origin iframe embedding.

So it's a privacy trainwreck now instead?

AMP allows Google Analytics which all these sites are using anyway, and disallows the dozens of other third party trackers typically seen on these sites, so no, it's a net improvement, or at least not worse.