Embedding your board in an iframe

In this article


You can embed your Feature Update board into your own website. This is achieved by using an HTML iframe.

You’ll either need to be a web developer – or have an access to one – to do this.

For security reasons, by default your board won’t work if embedded in an iframe. You’ll need to specifically enable this for your board.

Enabling iframe embedding

We disable iframe embedding by default. That’s because there is a security risk from a technique called “clickjacking”. You can read more about clickjacking on Wikipedia.

You can safely enable iframe embedding by telling Feature Upvote the domain name of your site.

Go to your Feature Upvote dashboard.

Select ‘Settings’.

Board settings

Select ‘Embedding’

Screenshot of Feature Upvote's embedding screen

  • Enable the checkbox labelled ‘Allow feedback board to be embedded in HTML <iframe> tags’
  • Put the domain of your website site in the ‘Domains allowed to embed feedback board’ field
  • Click ‘Save’

Configuring Feature Upvote to allow iframe embedding

Explanation for web developers: Feature Upvote uses this information to add an appropriate Content-Security-Policy HTTP header to your board. Modern web browsers look for this header, and use it to make sure your board can’t be embedded in websites outside of your control.


Domains allowed to embed board

In the “Domains allowed to embed board” field, make sure you’ve entered  only the domain name. Don’t include the leading “https://” or trailing “/”.

  • Correct: example.com
  • Wrong: https://example.com/

Use a wildcard to include all your organisation’s domains:

  • *.example.com

This will match all subdomains but not “example.com” itself.

If you want the board to be embdedded on subdomains AND on your top-level domain, use:

  • *.example.com example.com

Suggestions not being saved

When your board is embedded in an iframe, it can't be used in Chrome's incognito mode.

This is due to a recent security change made by Chrome, regarding cookies. Cookies don't work in an iframe in Chrome's incognito mode, if the contents of the iframe come from a different URL to the site containing the iframe.

Unfortunately, we don't know of a work-around to this problem.