Reference · Origins

Common iframe
domains, decoded.

When you scan a modern web page for iframes you usually find a dozen, and most of them are not from the site you are looking at. This page is the legend: what each common origin actually is, whether it is normally visible or hidden, and what data it tends to send. Useful for ad audits, GDPR reviews, security sweeps, and curiosity.

Updated:11 May 2026Read:6 minEntries:40

Video & media

youtube.com/embedPrivacy-sensitiveStandard YouTube video player. Sets cookies for the doubleclick.net family the moment it loads. Use youtube-nocookie.com/embed instead for ad-cookie-free playback until user interaction.
youtube-nocookie.com/embedStandard embedPrivacy-enhanced YouTube embed. No tracking cookies until the user actually clicks play.
player.vimeo.com/videoStandard embedVimeo video player.
open.spotify.com/embedStandard embedSpotify track / album / podcast embed.
w.soundcloud.com/playerStandard embedSoundCloud audio embed.
player.twitch.tvStandard embedTwitch live and VOD embeds.

Payments

js.stripe.comStandard embedStripe Elements payment fields. Each input renders in its own sandboxed cross-origin iframe so card data never reaches your page.
m.stripe.networkUsually hidden · Standard embedStripe controller frame — coordinates Elements behind the scenes.
www.paypal.com/sdkStandard embedPayPal Checkout iframe — Smart Buttons, hosted fields, recurring billing.
assets.braintreegateway.comStandard embedBraintree hosted fields. Behaves similarly to Stripe Elements.
checkoutshopper-live.adyen.comStandard embedAdyen drop-in checkout / 3DS challenge frames.
pay.google.com/gp/p/uiStandard embedGoogle Pay button and iframe.

platform.twitter.com / embed.x.comStandard embedTweet embed widget. Twitter rebranded these to embed.x.com but the old URL is still served.
instagram.com/p/.../embedStandard embedInstagram post embed.
www.facebook.com/pluginsStandard embedFacebook like buttons, page plugins, video and post embeds.
www.tiktok.com/embedStandard embedTikTok video embed.
www.linkedin.com/embedStandard embedLinkedIn post and profile embeds.
redditmedia.com / reddit.com/embedStandard embedReddit post embed.

Analytics, ads & trackers

googletagmanager.com/ns.htmlUsually hidden · Privacy-sensitiveGoogle Tag Manager noscript fallback. Loaded as a hidden iframe so GTM still fires for users without JS. Counts as a tracker — surface it in GDPR audits.
doubleclick.net / *.doubleclick.netPrivacy-sensitiveGoogle’s ad-serving network. Most display ads on the web load through here. Always classified as an ad/tracker origin.
googleads.g.doubleclick.netStandard embedGoogle ad network frame — usually inside a larger DoubleClick / GAM iframe.
googlesyndication.comStandard embedGoogle AdSense ad iframes.
www.facebook.com/trUsually hidden · Privacy-sensitiveMeta Pixel tracking beacon. 1×1 pixel, fires on page view and custom events. GDPR-relevant — needs consent before firing in EU/EEA.
connect.facebook.netUsually hidden · Standard embedFacebook SDK loader. Often paired with a hidden tracking iframe.
px.ads.linkedin.comUsually hidden · Standard embedLinkedIn Insight Tag tracking pixel.
static.hotjar.comPrivacy-sensitiveHotjar session-replay iframe. Records DOM-level interactions — disclose explicitly.
static.ads-twitter.comUsually hidden · Standard embedTwitter / X conversion tracking pixel.
analytics.tiktok.comUsually hidden · Standard embedTikTok Pixel for ad attribution.
stats.g.doubleclick.netUsually hidden · Standard embedGoogle Analytics Universal / GA4 ad-feature beacon.

Customer support & chat

widget.intercom.ioStandard embedIntercom Messenger floating widget.
js.driftt.com / js.drift.comStandard embedDrift live-chat widget.
static.zdassets.comStandard embedZendesk Web Widget / Chat.
kit.fontawesome.comStandard embedNot chat — Font Awesome kit loader. Common false-positive in audits.
embed.tawk.toStandard embedTawk.to chat widget.

Maps

google.com/maps/embedStandard embedStandard Google Maps embed.
api.mapbox.comStandard embedMapbox tiles loader. Usually a script, sometimes an iframe.
yandex.com/map-widgetStandard embedYandex Maps embed.

Authentication & SSO

accounts.google.com/gsiUsually hidden · Standard embedGoogle Sign-In silent renewal iframe. Often hidden.
login.microsoftonline.comUsually hidden · Standard embedMicrosoft Entra (Azure AD) silent auth iframe.
*.auth0.comUsually hidden · Standard embedAuth0 silent renewal frame.

How to verify what you found

Origins are only part of the picture. The same domain can serve very different iframes (a video player and a hidden tracker can both come from a Google subdomain). When you encounter an unfamiliar origin in your audit, run two checks:

In DevTools — see every iframe and its src side-by-side.

Array.from(document.querySelectorAll('iframe')).map(f => ({
  origin: new URL(f.src || 'about:blank').origin,
  src: f.src,
  hidden: f.offsetParent === null || f.offsetWidth <= 1,
  size: `${f.offsetWidth}x${f.offsetHeight}`,
}));

Then switch to the Network panel, filter by the origin, and inspect what it actually loads. The path tells you which product (e.g. /pagead/conversion vs /embed/).

Iframe Detector flags these automatically

The Iframe Detector Chrome extension classifies frames by origin — same-origin, cross-origin, ads, trackers — and labels hidden frames explicitly. The output of one click is the same list you would build with the snippet above, but it also colour-codes the known ad-tech and analytics domains from the lists on this page.

Missing an origin?

We update this page as new patterns appear in audits. If you spot a common iframe origin not listed here — open an issue or email lewawebextensions@gmail.com.

Keep reading

Security · AuditFind hidden iframesThe patterns invisible iframes use to hide — display:none, 1×1 pixels, off-screen tricks — and how to surface every single one in seconds.4 min Reference · Quick lookupiframe cheat sheetEvery iframe attribute, every sandbox flag, every Permissions-Policy feature, every defense header — on one page. Bookmark-it reference, paste-ready snippets, no fluff.8 min