Approving domains for iframes

Before you can embed your Engaging Networks page into an iframe on your site, you should also enable the ‘Allow page to be hosted in iframe on third party page’ feature in the page settings. This setting provides additional security as it puts restrictions on where the page can be embedded.

Enabling this feature

To do this, click on the cog/gear icon for the page. This will bring up the Admin page. Select ‘Settings’, where you will see a section called Iframes.

If you want to allow a page to be hosted in an iframe on a third-party page, you will need to provide the domain where it will be embedded. This will likely be your main domain, so for example if your website address is https://www.mycharity.org, the domain will be the same.

Only pages that have this feature enabled will display within iframes. If you already have pages that are running as iframes make sure that you re-visit the admin panel to check that this is enabled – and remember to add the correct domain. Be sure to test your iframed pages display properly.

What should be included in the setting

Include the subdomain(s) you want to allow. The root domain does not cover subdomains too.

You can add more than one domain by delimiting with a space, for example:

https://engagingnetworks.net https://google.com

Technical details

Pages that are using an iframe to render will need to have this setting enabled to be hosted on a third party page. This is in response to modern browsers supporting the new ‘Content Security Policy’ and that PCI compliance scans now look for these headers.

By default, if the setting is not selected, the SAMEORIGIN header will be set to protect content from being embedded. Additionally, the ‘frame-ancestors’ header is now included and set to ‘self.’

x-frame-options: SAMEORIGIN content-security-policy: frame-ancestors ‘self’

When the setting is enabled, the allowed domain(s) will be specified as the ‘frame-ancestors’ Content-Security-Policy header of ‘self,’ and the domain will be included in the response:

x-frame-options: SAMEORIGIN content-security-policy: frame-ancestors 'self' example.yourcharity.org

Embedding pages in iframes

To actually embed your pages as iframes on another website, click here for more.