I'm currently working on a button like the "Facebook like" and "Twitter" buttons. Since it will be a bit more complex, involving a tooltip that is shown after a click on the button, I cannot place it into an iframe.
So I thought a bit about why everyone puts their buttons into an iframe. The first thing that came to my mind was that it makes it impossible to alter the appearance of the button. But are there any other (security) concerns that matter in this case?
I suppose it indeed prevents easy tampering with the appearance, but also with the behavior (all kinds of Javascript i.e.), it allows for easier statistics collection and it's probably an easy way to have it implemented widely. Simply saying "please put
<iframe src="http://blabla" />
into your website" is a lot easier for users to do and understand than "please put<script .....>
into the head of your code, and<form><input type="hidden" ..><input type="submit" ..></form>
into the body"