Adding embed codes directly to your website can be a security/privacy concern since they are provided by third parties and may include Javascript that can be used for tracking or other malicious purposes. Using a cross-origin iframe is the best way to prevent access to the parent window and protect your users' privacy.
We have tested multiple methods to sandbox iframe content and found that using a cross-origin iframe is the best way (you can still other methods if you want):
srcdoc
for content provides a seperate
about: origin for the iframe content, but multiple platforms (Reddit, X) do not
support it correctly.sandbox
attribute, but most embeds fail without the allow-same-origin
attribute, which defeats
the purpose of sandboxing.sandbox
and allow-same-origin
attributes is the best way to sandbox content. It gives the embed
access to local storage, etc. but in a seperate context, so it cannot access the parent window's
local storage or other sensitive information. All currently supported platforms in Hyvor Unfold are
compatible with this method.If your website is on example.org
, you can use a subdomain,
unfold.example.org
, or another domain, example.net
, for the iframe
endpoint. This makes the iframe cross-origin by default. The content inside the iframe cannot
access the parent window, and the parent window cannot access the content inside the iframe.
If you are using the Docker image, the iframe endpoint is already included.
On your website, use iframes with src
set to /iframe?url=my-url
to embed
content.
<iframe
src="https://unfold.example.org/iframe?url=https://url-to-embed.com"
sandbox="allow-scripts allow-same-origin allow-popups"
allow="fullscreen;accelerometer;clipboard-write;encrypted-media;gyroscope;picture-in-picture;web-share;"
></iframe>
See the sandbox and allow attributes for more information.
If you are using the PHP Library, you have to set up an endpoint within your website for the iframe. Here is an example with Laravel, but you can use any PHP framework.
Route::get('/unfold-iframe', 'IframeController@getIframe');
use Hyvor\Unfold\Unfold;
use Hyvor\Unfold\Exceptions\UnfoldException;
use Hyvor\Unfold\Embed\Iframe\PrivacyIframe;
use Illuminate\Http\Request;
class IframeController
{
public function getIframe(Request $request)
{
$url = $request->input('url');
try {
$data = Unfold::unfold($url, UnfoldMethod::EMBED);
} catch (UnfoldException) {
// handle the exception
}
return PrivacyIframe::wrap($data->embed);
}
}
The PrivacyIframe::wrap
method will wrap the embed code in a full HTML document with
sensible defaults. It will also include the necessary Javascript for
resizing the iframe based on the content.
You can then use the iframe in your website like this:
<iframe
src="/unfold-iframe?url=https://url-to-embed.com"
sandbox="allow-scripts allow-modals allow-popups"
></iframe>
Iframe resizing is a common problem when embedding content. The content inside the iframe may change its height based on user interactions. Since Javascript inside the iframe cannot access the parent window, we need to use a postMessage to communicate between the parent and child windows.
When you call the PrivacyIframe::wrap
method, it will include
child.js script
that will send the height of the content to the parent window.
On your website, you have to include the parent.js script. This script will listen to the messages from the child window and resize the iframe accordingly.
<script src="/parent.js"></script>
Or, since the code is pretty small, feel free to copy it to your source code directly.
Our recommendation: Keep the unfold iframe endpoint on a separate subdomain (e.g. unfold.example.org) from your main website (e.g. example.org). This makes the iframe cross origin by default and prevents access to the parent window.
This is the minimal setup required for the iframe to work cross-domain:
sandbox="allow-scripts allow-same-origin allow-popups allow-presentation"
allow-scripts
: Allows the content inside the iframe to execute scripts.allow-same-origin
: Gives access to local storage, etc. in a seperate context (it
cannot access the parent window's local storage).allow-popups
: Allows the content to open popups.If your website (e.g. example.org) and the unfold iframe endpoint (e.g. example.org/unfold-iframe) are on the same domain, you can use the following sandbox attribute:
The allow
attribute is used to enable certain features in the iframe. We recommend the
following to make sure embeds, especially video players, work correctly:
allow="fullscreen;accelerometer;clipboard-write;encrypted-media;gyroscope;picture-in-picture;web-share;"