Iframes,
explained.
Short, code-first answers to the questions developers actually ask about iframes — written by the team behind the Iframe Detector Chrome extension. Every snippet works as-is in DevTools. No fluff.
How to detect iframes
Three working ways to find every iframe on a page — a one-liner in DevTools, an enriched audit script, and a one-click extension. With code you can paste right now.
5 min readSecurity · AuditFind hidden iframes
The patterns invisible iframes use to hide — display:none, 1×1 pixels, off-screen tricks — and how to surface every single one in seconds.
4 min readReference · JavaScriptAm I inside an iframe?
The one-line JavaScript check that tells you whether your page is being framed — with the live answer right on this page, the caveats, and how to prevent framing.
3 min readSecurity · Attack & defenseClickjacking — and how to stop it
How a transparent iframe can hijack any click. A working proof of concept, the four defense headers that matter, and how to check whether your own site is vulnerable.
6 min readReference · Sandboxiframe sandbox attribute
Every sandbox flag, what it allows, what it blocks, and the one combination you should never write. With real recipes for embedding user HTML, payment widgets, and third-party scripts.
7 min readReference · Quick lookupiframe cheat sheet
Every iframe attribute, every sandbox flag, every Permissions-Policy feature, every defense header — on one page. Bookmark-it reference, paste-ready snippets, no fluff.
8 min readPerformance · Core Web VitalsLazy-loading iframes
What loading="lazy" actually does to your iframes, when it helps your LCP and INP, when it hurts, and how to pair it with fetchpriority. Built for the Core Web Vitals era.
5 min readReference · OriginsCommon iframe domains
What every domain you'll find in an iframe audit actually is — YouTube, Stripe, DoubleClick, GTM, Facebook pixels and more. A reference for ad-audits, GDPR reviews, and curious developers.
6 min readComparison · ToolingIframe checker tools, compared
Honest, side-by-side comparison of the five ways to inspect iframes on a webpage — DevTools, console snippets, our extension, generic privacy tools, and a custom MutationObserver.
5 min read