HTML Iframes & Embedding
Mentor's Note: An iframe is like a window into another webpage inside your own page! Think of it as picture-in-picture for websites โ you stay on your page while seeing content from somewhere else. Use them wisely and securely.
๐ What is an IFrame?โ
IFrame stands for Inline Frame. It is an HTML element that lets you embed another HTML page inside the current page. The embedded page runs in its own browsing context โ it has its own history, its own JavaScript environment, and its own DOM.
<iframe src="https://example.com" title="Example site"></iframe>
Here is how the browser handles an iframe request:
๐ง Basic Syntaxโ
<iframe
src="https://www.example.com"
width="800"
height="600"
title="Example page"
></iframe>
The src attribute points to the URL you want to embed. The width and height control the dimensions. The title attribute is required for accessibility โ screen readers use it to describe the embedded content.
๐ฏ Common Use Casesโ
YouTube Video Embedโ
<iframe
width="560"
height="315"
src="https://www.youtube.com/embed/dQw4w9WgXcQ"
title="YouTube video player"
allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture"
allowfullscreen
></iframe>
How to get the embed URL: On YouTube, click Share โ Embed and copy the <iframe> code.
Google Maps Embedโ
<iframe
width="600"
height="450"
src="https://www.google.com/maps/embed?pb=!1m18!1m12!1m3..."
title="Google Maps location"
allowfullscreen
loading="lazy"
></iframe>
How to get the embed URL: On Google Maps, click the hamburger menu โ Share or embed map โ Embed a map and copy the <iframe> code.
PDF Document Viewerโ
<iframe
src="/documents/brochure.pdf"
width="100%"
height="500"
title="Company brochure"
></iframe>
Most modern browsers have a built-in PDF viewer that displays PDFs inside iframes automatically.
Other Website Previewโ
<iframe
src="https://en.wikipedia.org/wiki/HTML"
width="100%"
height="600"
title="Wikipedia article about HTML"
sandbox="allow-scripts allow-same-origin"
></iframe>
Note: Many websites block embedding via the
X-Frame-Options: DENYorSAMEORIGINHTTP header. Always test whether the site you want to embed allows it.
๐ค Deciding What to Embedโ
๐ IFrame Attributesโ
| Attribute | Value | Description |
|---|---|---|
src | URL | The URL of the page to embed |
width | pixels | Width of the iframe |
height | pixels | Height of the iframe |
title | text | Accessible name for screen readers (always include!) |
allow | feature list | Permissions for the iframe (e.g., geolocation, microphone) |
sandbox | restriction tokens | Enables extra security restrictions |
loading | lazy / eager | lazy defers loading until the iframe is near the viewport |
referrerpolicy | no-referrer, origin, etc. | Controls what referrer info is sent |
allowfullscreen | (boolean) | Allows fullscreen mode |
name | text | Name for targeting in links/forms |
๐ Security: The Sandbox Attributeโ
The sandbox attribute applies extra restrictions to the embedded content. By default, an empty sandbox attribute applies all restrictions:
- No scripts
- No forms
- No popups
- No navigation
- No plugins
- Treats content as a unique origin
<iframe src="https://example.com" sandbox></iframe>
You can selectively enable features by adding space-separated tokens:
Common Sandbox Valuesโ
| Token | What it enables |
|---|---|
| (none) | All restrictions applied |
allow-scripts | Run JavaScript |
allow-same-origin | Treat as same origin (needed with allow-scripts for some cases) |
allow-forms | Submit forms |
allow-popups | Open popup windows |
allow-top-navigation | Navigate the parent page |
allow-modals | Open modal dialogs (alert(), confirm()) |
allow-presentation | Start a presentation session |
โ ๏ธ Warning: Never use
allow-scriptsandallow-same-origintogether unless you fully trust the embedded content. This combination lets the iframe break out of the sandbox and access the parent page's DOM.
๐ฑ Responsive Iframesโ
Iframes have a fixed size, but you can make them responsive with CSS. The aspect-ratio box technique is the most reliable approach:
CSSโ
.iframe-container {
position: relative;
width: 100%;
overflow: hidden;
padding-top: 56.25%; /* 16:9 aspect ratio (9 รท 16 ร 100) */
}
.iframe-container iframe {
position: absolute;
top: 0;
left: 0;
width: 100%;
height: 100%;
border: 0;
}
HTMLโ
<div class="iframe-container">
<iframe
src="https://www.youtube.com/embed/dQw4w9WgXcQ"
title="Responsive YouTube video"
loading="lazy"
></iframe>
</div>
Alternative using aspect-ratio (modern CSS):
iframe {
width: 100%;
height: auto;
aspect-ratio: 16 / 9;
}
The
aspect-ratioCSS property is simpler but not supported in very old browsers.
๐ก๏ธ Security Best Practicesโ
- Always include a
titleโ required for accessibility and screen readers - Use
sandboxwhenever possible โ restrict what the embedded content can do - Use
loading="lazy"โ improves page load performance - Use
referrerpolicy="no-referrer"โ protects user privacy - Never trust embedded content โ treat it as you would any third-party resource
- Check
X-Frame-Optionsโ some sites block embedding; respect their policy - Prefer
https://โ avoid mixed content warnings
โ๏ธ IFrame vs Object vs Embedโ
| Element | Best for | Status |
|---|---|---|
<iframe> | Web pages, videos, maps | โ Modern & recommended |
<embed> | Plugins (Flash, Java applets) | โ Deprecated |
<object> | Legacy content, fallback scenarios | โ ๏ธ Edge cases only |
Rule of thumb: Reach for <iframe> first. Only consider <object> if you need fallback content for old browsers.
๐งช Try It Yourselfโ
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Iframe Demo</title>
<style>
body {
font-family: system-ui, sans-serif;
max-width: 800px;
margin: 2rem auto;
padding: 0 1rem;
}
.embed-container {
position: relative;
width: 100%;
padding-top: 56.25%;
margin-bottom: 2rem;
}
.embed-container iframe {
position: absolute;
top: 0;
left: 0;
width: 100%;
height: 100%;
border: none;
border-radius: 8px;
}
</style>
</head>
<body>
<h1>My First Embed Page</h1>
<h2>YouTube Video</h2>
<div class="embed-container">
<iframe
src="https://www.youtube.com/embed/jNQXAC9IVRw"
title="Me at the zoo"
allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture"
allowfullscreen
loading="lazy"
></iframe>
</div>
<h2>Google Maps</h2>
<div class="embed-container" style="padding-top: 75%;">
<iframe
src="https://www.google.com/maps/embed?pb=!1m18!1m12!1m3!1d9931.175804673178!2d-0.12772435716006678!3d51.50735070560716!2m3!1f0!2f0!3f0!3m2!1i1024!2i768!4f13.1!3m3!1m2!1s0x487604ce38b6d0c1%3A0x6b3f5c5b6b5f5b5f!2sLondon%2C%20UK!5e0!3m2!1sen!2sin!4v1680000000000"
title="Map of London"
allowfullscreen
loading="lazy"
></iframe>
</div>
</body>
</html>
โ Common Mistakesโ
| Mistake | Why it is wrong | Fix |
|---|---|---|
Missing title | Screen readers cannot describe the iframe | Add title="Descriptive name" |
Forgetting sandbox with untrusted content | Embedded page can run scripts freely | Add sandbox with only needed tokens |
| Hard-coded fixed width/height | Breaks on mobile devices | Use responsive CSS technique |
| Embedding without permission | May violate terms of service | Check embeddability + X-Frame-Options |
No loading="lazy" | Slows down initial page load | Add loading="lazy" |
Mixed content (http:// embed in https:// page) | Browser blocks the embed | Always use https:// sources |
๐ Related Topicsโ
- HTML Media Elements โ Images, audio, and video tags
- HTML Links & Navigation โ Hyperlinks and navigation patterns
- Security & Privacy โ Keeping your embedded content safe