IFRAMEs & Webflow

IFRAME Embedding Your Site inside Another Site

Overview
Using IFRAMEs
Working with IFRAMEs
100
Styling IFRAME contents
101
Targeting an IFRAME with Links
102
IFRAMEs & Mobile Devices
Testing Your IFRAMEs on Mobile Devices
201
Best Practices for Mobiles
202
Advanced IFRAMES
Sizing IFRAMEs Dynamically
401
IFRAME Embedding Your Site inside Another Site
402
No items found.
Published
August 4, 2023
Updated
August 4, 2023
in lightbox

In certain cases, you may want to IFRAME-embed your Webflow-hosted site inside of another site.

In general, you can IFRAME-embed your Webflow site in another website, once it’s on a paid plan and published to a custom domain name. However;

  • You cannot IFRAME embed content from the *.webflow.io staging domain to another domain.
  • You cannot IFRAME embed ECommerce sites.
  • You cannot IFRAME embed Memberships sites.

All of this is governed by Webflow's servers by specifying the Content Security Policy (CSP) in each of these cases.

How CSPs Work

Modern browsers determine whether certain actions like IFRAME-embedding are safe and appropriate by checking the Content Security Policy (CSP) that is presented by the hosting server.

CSP stands for Content Security Policy. It's a security feature that helps prevent a variety of attacks, including Cross-Site Scripting (XSS) and data injection attacks. CSP works by specifying rules for the types of content that are allowed to be loaded and executed on a webpage.
These rules are defined by the server and sent to the client in the HTTP response headers. The client's web browser then enforces these rules.

Here's an example of what that header looks like;

Content-Security-Policy: default-src 'self'; script-src 'self' https://apis.google.com

Webflow's CSPs

When your site is Webflow-hosted, Webflow controls this and changes it depending on your site's situation.

So far I've seen these variations;

  • + General sites which are hosted on a custom domain ( paid plan ) are given a CSP that allows them to be IFRAME-embedded on another domain.
  • - Staged webflow.io sites are blocked from IFRAME-embedding, likely to prevent abuse.
  • - ECommerce sites are blocked, likely to prevent security risks like script injection password or CC capture.
  • - Memberships sites are blocked, likely to prevent security risks like password capture.

When the site is in a "protected" state, Webflow issues a CSP header that restricts where the site can be hosted, like this;

content-security-policy: frame-ancestors 'self' https://*.webflow.com http://*.webflow.com http://*.webflow.io http://webflow.com https://webflow.com

When the site is "unprotected", that header does not exist.

Notes

https://discourse.webflow.com/t/can-i-have-a-webflow-page-in-a-generated-iframe/215443/6

Videos
No items found.
Table of Contents
Comments
Did we just make your life better?
Passion drives our long hours and late nights supporting the Webflow community. Click the button to show your love.