How do I communicate between an iframe and parent page?

Use window.postMessage to send messages and window.addEventListener('message', ...) to receive. Always validate event.origin to ensure the message is from the expected source.

What is clickjacking?

An attack where a malicious site embeds a legitimate site in an invisible iframe, tricking users into clicking buttons they cannot see. X-Frame-Options and frame-ancestors prevent this by blocking unauthorized embedding.

Cross-Origin iframe Errors — X-Frame-Options, CSP, and Embedding Restrictions

Warningsecurity

About Cross-Origin iframe Errors

Fix cross-origin iframe embedding errors including X-Frame-Options DENY, CSP frame-ancestors violations, and postMessage communication between frames. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.

Here are the key things to understand: X-Frame-Options: DENY prevents the page from being embedded in any iframe. X-Frame-Options: SAMEORIGIN allows embedding only on the same origin. CSP frame-ancestors is the modern replacement for X-Frame-Options with more flexibility. Cross-origin iframes cannot access the parent page's DOM (same-origin policy). postMessage API enables safe communication between cross-origin frames. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.

The most common reasons this occurs include: Target page sets X-Frame-Options: DENY or SAMEORIGIN blocking iframe embedding. CSP frame-ancestors directive not including the embedding origin. Trying to access cross-origin iframe content via JavaScript (blocked by same-origin policy). Payment gateway or OAuth provider blocking iframe embedding for security. Clickjacking protection preventing the page from being framed. Identifying the root cause is the first step toward finding the right solution.

To resolve this, follow these recommended steps: Check the console error: it will specify whether X-Frame-Options or CSP is blocking. If you control the framed page: set X-Frame-Options: ALLOW-FROM or CSP frame-ancestors to include your domain. For cross-origin communication: use postMessage instead of trying to access iframe.contentDocument. On the iframe side: window.addEventListener('message', handler) and validate event.origin. If the site blocks framing: there is no workaround — use a link to the page instead of an iframe. For CSP: set Content-Security-Policy: frame-ancestors 'self' https://allowed-domain.com. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.

This article is part of our Browser Errors collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.

Quick Answer

Can I embed any website in an iframe?

No. The target website controls whether it can be framed via X-Frame-Options or CSP frame-ancestors. Many sites (Google, Facebook, banks) block iframe embedding to prevent clickjacking attacks.

Overview

Fix cross-origin iframe embedding errors including X-Frame-Options DENY, CSP frame-ancestors violations, and postMessage communication between frames.

Key Details

X-Frame-Options: DENY prevents the page from being embedded in any iframe
X-Frame-Options: SAMEORIGIN allows embedding only on the same origin
CSP frame-ancestors is the modern replacement for X-Frame-Options with more flexibility
Cross-origin iframes cannot access the parent page's DOM (same-origin policy)
postMessage API enables safe communication between cross-origin frames

Common Causes

Target page sets X-Frame-Options: DENY or SAMEORIGIN blocking iframe embedding
CSP frame-ancestors directive not including the embedding origin
Trying to access cross-origin iframe content via JavaScript (blocked by same-origin policy)
Payment gateway or OAuth provider blocking iframe embedding for security
Clickjacking protection preventing the page from being framed

Steps

1Check the console error: it will specify whether X-Frame-Options or CSP is blocking
2If you control the framed page: set X-Frame-Options: ALLOW-FROM or CSP frame-ancestors to include your domain
3For cross-origin communication: use postMessage instead of trying to access iframe.contentDocument
4On the iframe side: window.addEventListener('message', handler) and validate event.origin
5If the site blocks framing: there is no workaround — use a link to the page instead of an iframe
6For CSP: set Content-Security-Policy: frame-ancestors 'self' https://allowed-domain.com

More in Security

windows-defender-errorsWindows Defender Errors — Antivirus Not Working or Updating

Error

windows-error-0x80073b01-defender-serviceWindows Error 0x80073B01 — Windows Defender Service Failed to Start

Error

windows-bitlocker-recovery-key-errorsBitLocker Recovery Key Errors — Drive Locked and Recovery Key Not Found

Critical

mac-gatekeeper-app-blockedMac Gatekeeper — App Cannot Be Opened (Unidentified Developer)

Warning

mac-filevault-recovery-errorsMac FileVault Errors — Encryption, Decryption & Recovery Key Issues

Error

mac-keychain-errors-passwordsMac Keychain Errors — Password Prompts, Locked Keychain, and Repair Guide

Warning

Frequently Asked Questions

No. The target website controls whether it can be framed via X-Frame-Options or CSP frame-ancestors. Many sites (Google, Facebook, banks) block iframe embedding to prevent clickjacking attacks.

Cross-Origin iframe Errors — X-Frame-Options, CSP, and Embedding Restrictions

About Cross-Origin iframe Errors

Quick Answer

Overview

Key Details

Common Causes

Steps

Tags

Related Items

More in Security

Frequently Asked Questions