What Is iFrame? | phoenixNAP IT Glossary

An iFrame, or Inline Frame, is an HTML element that allows you to embed another HTML document within the current web page.

What Is an iFrame?

An iFrame, short for Inline Frame, is an HTML element that enables the embedding of an external HTML document within the confines of another HTML document. Essentially, it acts as a window that can display content from a different web page or resource, all while remaining part of the current webpage. iFrames are widely used for various purposes, such as integrating videos, interactive maps, advertisements, or other dynamic content into a website without requiring users to leave the page they are viewing.

How Does an iFrame Work?

An iFrame embeds an external HTML document or other web content within the current webpage. Here’s a step-by-step explanation of how this process works:

Inserting the iFrame element. The process begins with the developer adding an <iframe> tag to the HTML of the web page. This tag includes attributes such as src, which specifies the URL of the external content to be embedded, and other optional attributes like width, height, frameborder, and allowfullscreen to control the appearance and behavior of the iFrame.
Requesting the external intent. Once the user's browser loads the webpage containing the iFrame, the browser reads the src attribute in the <iframe> tag and makes a separate HTTP request to the specified URL to retrieve the content.
Loading the external content. The browser fetches the external content, which could be an entire HTML document, a media file, or any web resource. The content is treated as an independent document within the main webpage. The iFrame essentially creates a mini browser window inside the parent webpage, loading and rendering the content as if it were a standalone web page.
Rendering the content. The browser then displays the content inside the boundaries of the iFrame. The embedded content appears as if it were part of the main webpage, but it operates independently. The parent page and the iFrame content do not directly interact, although they share the same visual space.
Interaction and functionality. Users interact with the content inside the iFrame just as they would with any web page. For instance, if the iFrame contains a form, users can fill it out and submit it. The embedded content can include its own JavaScript, CSS, and other resources, executed within the iFrame context, separate from the parent page.
Independent document lifecycle. The embedded content within the iFrame has its own document lifecycle. This means that it loads, executes scripts, and interacts with its own resources independently of the parent page. For example, if the parent page is reloaded, the iFrame content will also be reloaded, but its state and behavior are managed separately from the main document.
Security and restrictions. Due to potential security risks, browsers implement various restrictions on iFrame content. For example, cross-origin policies prevent scripts in the parent page from accessing content inside an iFrame from a different domain. Additionally, developers use security headers and attributes like sandbox to further limit what the iFrame content can do, such as disabling scripts or preventing form submissions.

Attributes of an iFrame

The <iframe> element in HTML has several attributes that control its behavior, appearance, and interaction with the content it displays. Here’s a detailed explanation of the key attributes:

src. This attribute specifies the URL of the external content to be embedded within the iFrame. It is the most essential attribute because it determines what content will be loaded into the iFrame. For example, <iframe src="https://www.example.com"></iframe> will embed the content from "https://www.example.com" into the iFrame.
width and height. These attributes control the size of the iFrame in pixels or percentages. For instance, <iframe src="https://www.example.com" width="600" height="400"></iframe> will create an iFrame that is 600 pixels wide and 400 pixels tall.
frameborder. This attribute specifies whether the iFrame should have a border. The value 0 means no border, while 1 means a visible border. This attribute is now considered obsolete, with modern CSS being the preferred way to style the iFrame border.
scrolling. This attribute controls the visibility of scrollbars within the iFrame. It can take three values: yes, no, or auto. yes forces scrollbars to appear, no prevents them, and auto allows scrollbars to appear only when needed. For example, <iframe src="https://www.example.com" scrolling="no"></iframe> will prevent scrollbars from appearing even if the content is larger than the iFrame.
sandbox. This powerful attribute enables a set of extra restrictions on the content within the iFrame to enhance security. It can be used to disable scripts, prevent form submission, block the use of plugins, and restrict other potentially risky behaviors. The value of this attribute can be a space-separated list of restrictions, such as allow-scripts, allow-forms, allow-same-origin, etc. For example, <iframe src="https://www.example.com" sandbox="allow-scripts"></iframe> would allow scripts to run within the iFrame but with other restrictions in place.
allow. The allow attribute specifies a feature policy for the content in the iFrame. This controls permissions for things like camera access, geolocation, fullscreen mode, and more. It’s a way to explicitly grant or deny certain browser features to the content inside the iFrame. For instance, <iframe src="https://www.example.com" allow="geolocation 'self'; camera 'none'"></iframe> allows the content to access geolocation only for the same origin and disables camera access altogether.
name. This attribute assigns a name to the iFrame, which can be useful for targeting it with links or scripts. For example, a link with target="iframe_name" will open the linked content within the named iFrame. This is particularly useful in situations where multiple iFrames exist on a page.
srcdoc. This attribute allows you to directly embed HTML content within the iFrame instead of loading it from an external source. It’s useful for embedding small pieces of HTML content without the need for a separate file. For example, <iframe srcdoc="<p>Hello, world!</p>"></iframe> would display "Hello, world!" inside the iFrame.
referrerpolicy. This attribute controls the amount of referrer information that should be sent when fetching the src URL. It helps in managing privacy and security concerns related to referrer data. The values can be no-referrer, origin, strict-origin, etc., which determine how much of the original page’s URL is shared with the embedded content.
loading. The loading attribute specifies whether the iFrame should be loaded immediately or delayed. The values can be eager, which loads the iFrame as soon as possible, or lazy, which defers loading until the iFrame is near the viewport, improving performance and user experience by reducing initial load time.
referrerpolicy. This attribute sets the referrer policy for requests made by the iframe, which affects the amount of information about the referring page sent to the iframe's content. Options include no-referrer, origin, same-origin, and strict-origin.
csp. The csp (content security policy) attribute allows the developer to specify a content security policy specifically for the content in the iFrame. This enforces certain security measures, like which sources of content are allowed to be loaded, which can prevent certain types of attacks like cross-site scripting (XSS).

What Are iFrames Used For?

iFrames are used for a variety of purposes in web development, primarily to embed external content within a web page while maintaining a separate context for that content. Here are some common use cases:

Embedding videos. iFrames are widely used to embed videos from platforms like YouTube, Vimeo, or other video hosting services. This allows users to watch videos directly on a website without navigating away from the page. The embedded video player, complete with controls, is loaded within the iFrame.
Integrating maps. iFrames are often used to embed interactive maps from services like Google Maps or OpenStreetMap. This provides users with the ability to view and interact with maps directly on the webpage, which is especially useful for displaying locations, directions, and other geographical data.
Displaying external webpages or documents. iFrames allow the inclusion of entire web pages or documents from other websites. This is commonly used to display content such as terms of service, privacy policies, or other external documents without requiring users to leave the current site.
Loading third-party widgets and plugins. Many third-party services, such as social media platforms, customer support chat tools, and advertising networks, provide widgets that can be embedded using iFrames. This allows websites to integrate functionalities like Facebook comments, X feeds, or live chat support without extensive backend development.
Hosting advertisements. iFrames are commonly used to embed advertisements on web pages. Ad networks often provide iFrame-based ad tags, which help isolate the ad content from the rest of the page to prevent conflicts between the ad's code and the page's code.
Isolating content for security reasons. iFrames can be used to embed content from external sources while keeping it isolated from the parent page's scripts and styles. This is particularly useful for maintaining security boundaries, as it prevents potentially unsafe content from affecting the main page.
Testing and previewing content. Developers often use iFrames to test or preview content from a development environment on a live site. This allows for easy comparison and testing without fully integrating the content into the site.
Displaying responsive content. iFrames can be used to display responsive content that adjusts to different screen sizes, such as responsive web pages or applications. This is useful for ensuring that embedded content is accessible and visually consistent across devices.
Embedding forms and interactive tools. iFrames are used to embed forms, surveys, calculators, and other interactive tools from external sources. This enables websites to offer complex functionality without having to develop these tools from scratch.
Cross-domain embedding. When content needs to be embedded from a different domain, iFrames provide a method to do so while maintaining the separation of origin contexts. This is particularly useful for content that is hosted on a different server or domain, allowing for easier management and deployment.

iFrame Examples

Here are two examples of iFrames in use.

Example 1: Embedding a YouTube Video

This example demonstrates how to embed a YouTube video within a webpage using an iFrame.

<!DOCTYPE html>

<html lang="en">

<head>

    <meta charset="UTF-8">

    <meta name="viewport" content="width=device-width, initial-scale=1.0">

    <title>iFrame YouTube Example</title>

</head>

<body>

    <h1>Watch this Video:</h1>

    <iframe width="560" height="315" src="https://www.youtube.com/embed/dQw4w9WgXcQ"

    title="YouTube video player" frameborder="0" allow="accelerometer; autoplay;

    clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen>

    </iframe>

</body>

</html>

Explanation:

The src attribute is set to the URL of the YouTube video. In this case, it is an example video.
The width and height attributes define the size of the video player.
The allow attribute specifies permissions for features like autoplay, encrypted media, and fullscreen.
The allowfullscreen attribute allows the video to be viewed in fullscreen mode.

Example 2: Embedding a Google Map

This example shows how to embed a Google Map into a webpage using an iFrame.

<!DOCTYPE html>

<html lang="en">

<head>

    <meta charset="UTF-8">

    <meta name="viewport" content="width=device-width, initial-scale=1.0">

    <title>iFrame Google Map Example</title>

</head>

<body>

    <h1>Our Location:</h1>

    <iframe src="https://www.google.com/maps/embed?pb=!1m18!1m12!1m3!1d3151.8354345096274!

    2d144.95373631531565!3d-37.81720997975142!2m3!1f0!2f0!3f0!3m2!1i1024!2i768!4f13.1!3m3!1m2!

    1s0x6ad65d43f1a5d53b%3A0x1aaf3d5a5b64db5e!2sFederation%20Square!5e0!3m2!1sen!2sau!4v1617174192722!5m2!

    1sen!2sau"

    width="600" height="450" style="border:0;" allowfullscreen="" loading="lazy"></iframe>

</body>

</html>

Explanation:

The src attribute contains the URL provided by Google Maps for embedding the map. The URL includes specific parameters that determine the location and view settings.
The width and height attributes define the size of the map on the webpage.
The style="border:0;" part removes any borders around the map.
The allowfullscreen attribute allows users to view the map in fullscreen mode.
The loading="lazy" attribute defers the loading of the map until it's near the viewport, improving page load performance.

How to Use iFrames?

The following passages explain how to use iFrames to get the maximum out of your user experience.

Embed External Content

To embed external content into a webpage, developers typically use the <iframe> HTML element, which allows them to incorporate resources such as videos, maps, or entire web pages from other domains directly within their site. The process involves specifying the source of the content through the src attribute in the <iframe> tag, which points to the URL of the external content. Additional attributes like width, height, and allow can be used to control the appearance and behavior of the embedded content, ensuring it fits seamlessly within the page's design.

By embedding external content this way, developers enhance the functionality and interactivity of their web pages, offering users a richer experience without requiring them to leave the site.

Load Content Dynamically

Loading content dynamically within an iFrame involves changing the source (src) of the iFrame in response to user interactions or other triggers, such as buttons or links. This can be achieved using JavaScript, where you can manipulate the iFrame's src attribute to load new content without a full page reload.

For example, when a user clicks a button, a JavaScript function can be executed that updates the src attribute of the iFrame, causing it to fetch and display a new HTML document or web resource. This approach is particularly useful for creating dynamic web applications where different content needs to be displayed within the same area of the page based on user actions, enhancing the user experience by providing seamless transitions between different pieces of content.

Additionally, by leveraging the history.pushState API in combination with dynamic iFrame content, it's possible to maintain browser history, allowing users to navigate back and forth through the dynamically loaded content as if they were traditional page loads.

Creating Inline Frames

Creating inline frames, commonly known as iFrames, involves using the <iframe> HTML element to embed external content directly within a webpage. This element is versatile, allowing developers to insert anything from videos and maps to entire web pages or interactive widgets into the existing content. By specifying the src attribute, you define the URL of the content to be embedded, while other attributes like width, height, and frameborder control the iFrame's appearance and behavior.

iFrames are particularly useful for seamlessly integrating third-party content, enabling users to interact with external resources without leaving the main site. With additional attributes such as sandbox and allow, developers can fine-tune security and functionality, ensuring the embedded content behaves as intended while maintaining the overall integrity and performance of the website.

iFrames Best Practices

When using iFrames in web development, following best practices is essential to ensure that they function correctly, maintain security, and provide a good user experience. Here are some best practices for using iFrames:

Use the sandbox attribute for security. The sandbox attribute enhances security by applying restrictions on the content within the iFrame. By default, iFrames can introduce security risks such as cross-site scripting (XSS). Using sandbox limits the actions that the embedded content can perform, such as running scripts, submitting forms, or accessing browser storage. You can also selectively allow certain features like scripts or forms by specifying additional allow values.

<iframe src="https://example.com" sandbox="allow-scripts"></iframe>

Specify a title attribute for accessibility. Adding a descriptive title attribute to your iFrame improves accessibility, particularly for users relying on screen readers. The title attribute provides a brief description of the content, helping users understand what the embedded content is.

<iframe src="https://example.com" title="Interactive map of our location"></iframe>

Ensure responsive design. iFrames can sometimes disrupt the responsiveness of a webpage, especially on smaller screens. To ensure that the iFrame content scales correctly across different devices, use CSS to make the iFrame responsive. You can achieve this by setting the width and height to percentages or using viewport units, combined with max-width and max-height constraints.

iframe {

    width: 100%;

    height: auto;

    max-width: 600px;

    max-height: 400px;

}

Avoid overusing iFrames. While iFrames are useful, overuse leads to slower page load times, security risks, and a poor user experience. Whenever possible, consider alternative methods such as using APIs or embedding content directly into the page instead of relying on multiple iFrames.
Set a referrer policy. The referrerpolicy attribute controls the amount of referrer information that is sent when the iFrame content is loaded. This can help protect user privacy and prevent sensitive information from being shared with the embedded content. Common values include no-referrer, origin, or strict-origin-when-cross-origin.

<iframe src="https://example.com" referrerpolicy="no-referrer"></iframe>

Use the loading attribute to improve performance. The loading attribute helps optimize page performance by deferring the loading of offscreen iFrames until they are needed (i.e., when they are near the viewport). The lazy value delays loading, while eager loads the iFrame immediately.

<iframe src="https://example.com" loading="lazy"></iframe>

Set appropriate allow permissions. The allow attribute specifies which features the iFrame content is permitted to use, such as geolocation, camera access, or autoplay. Setting precise permissions limits the capabilities of the embedded content, enhancing security and user privacy.

<iframe src="https://example.com" allow="geolocation; microphone; camera"></iframe>

Consider cross-origin policies. iFrames that load content from different domains can introduce security challenges. Implement cross-origin resource sharing (CORS) policies on the server hosting the iFrame content and use X-Frame-Options or the Content-Security-Policy (CSP) headers to control which sites can embed your content in an iFrame. This helps prevent clickjacking and other security exploits.
Provide fallback content. In case the iFrame fails to load or is blocked, consider providing fallback content within the <iframe> tag. This content will be displayed if the iFrame cannot load, offering a better user experience.

<iframe src="https://example.com">

    <p>Your browser does not support iFrames. Please visit <a href="https://example.com">this link</a> instead.</p>

</iframe>

Monitor performance impact. iFrames can slow down page performance, especially if they contain heavy content like videos or interactive elements. Regularly monitor the impact of iFrames on your page’s load time and optimize or lazy-load iFrames that are not immediately visible to the user.