Embedding your board in an iframe
In this article
Introduction
You can embed your Feature Update board into your own website. This is achieved by using an HTML iframe.
You’ll either need to be a web developer – or have an access to one – to do this.
For security reasons, by default your board won’t work if embedded in an iframe. You’ll need to specifically enable this for your board.
Enabling iframe embedding
We disable iframe embedding by default. That’s because there is a security risk from a technique called “clickjacking”. You can read more about clickjacking on Wikipedia.
You can safely enable iframe embedding by telling Feature Upvote the domain name of your site.
Go to your Feature Upvote dashboard.
Select ‘Settings’.
Select ‘Embedding’
- Enable the checkbox labelled ‘Allow feedback board to be embedded in HTML
<iframe>
tags’ - Put the domain of your website site in the ‘Domains allowed to embed feedback board’ field
- Click ‘Save’
Explanation for web developers: Feature Upvote uses this information to add an appropriate Content-Security-Policy
HTTP header to your board. Modern web browsers look for this header, and use it to make sure your board can’t be embedded in websites outside of your control.
Troubleshooting
Domains allowed to embed board
In the “Domains allowed to embed board” field, make sure you’ve entered only the domain name. Don’t include the leading “https://” or trailing “/”.
- Correct:
example.com
- Wrong:
https://example.com/
Use a wildcard to include all your organisation’s domains:
*.example.com
This will match all subdomains but not “example.com” itself.
If you want the board to be embdedded on subdomains AND on your top-level domain, use:
*.example.com example.com
Suggestions not being saved
When your board is embedded in an iframe, it can't be used in Chrome's incognito mode.
This is due to a recent security change made by Chrome, regarding cookies. Cookies don't work in an iframe in Chrome's incognito mode, if the contents of the iframe come from a different URL to the site containing the iframe.
Unfortunately, we don't know of a work-around to this problem.