Can This Website Be Embedded in an iframe?
iFrame Test is a free tool that checks whether any website can be embedded in an <iframe>. Enter a URL and it loads the page in a real frame: if the site appears, embedding is allowed; if it stays blank or refuses to connect, the site blocks framing with an X-Frame-Options header or a Content-Security-Policy frame-ancestors rule — and this page explains why.
Website URL
Enter any website URL to check if it can be embedded in an iframe
Quick Tests:
Live IFrame Test
Enter a URL above and click Test to check iframe embedding
Enter a URL above and click Test to see WebFuse proxy version
Understanding iframe Embedding
How do I check if a website can be embedded in an iframe?
Enter the website's URL in the field above and click Test. iFrame Test loads the page inside a real iframe — if the site appears, embedding is allowed; if you see a blank frame or a "refused to connect" message, the site blocks embedding. It is the fastest way to confirm without reading HTTP headers or code.
Why can't I embed certain websites in an iframe?
Most large sites block iframe embedding to prevent clickjacking, protect logged-in sessions, and stop their pages from being wrapped by others. They enforce this with the X-Frame-Options header or a Content-Security-Policy frame-ancestors directive, which tell the browser to refuse rendering the page inside a frame.
What does the X-Frame-Options header do?
X-Frame-Options is an HTTP response header that controls whether a browser may render a page inside a frame. DENY blocks all framing, SAMEORIGIN allows only the site's own domain, and the deprecated ALLOW-FROM permitted one named origin. If a site sends DENY, no other website can embed it.
What is the CSP frame-ancestors directive?
frame-ancestors is a Content-Security-Policy directive listing which origins may embed a page in a frame, iframe, object, or embed. It supersedes X-Frame-Options and is more flexible — for example, frame-ancestors 'self' https://partner.com permits framing only by the site itself and one partner, while 'none' blocks all embedding.
What is iframe framebusting?
Framebusting (or frame-killing) is JavaScript a site runs to detect when it has loaded inside an iframe and then break out, usually by redirecting the top-level window to its own URL. Banks and some social networks use it as an extra layer on top of header-based protections, so a page can load briefly and then disappear.
What does "refused to connect" mean in an iframe?
"refused to connect" means the embedded site sent an X-Frame-Options or frame-ancestors rule that forbids framing, so the browser blocked it. It is not a network error — the page exists and loads normally on its own, but the site explicitly disallows being displayed inside another page's iframe.
Can I embed a website that blocks iframes?
A standard iframe cannot override X-Frame-Options or frame-ancestors — those are enforced by the browser for security. To display a site that blocks framing, you need a reverse proxy or co-browsing service such as Webfuse, which serves the page from its own domain so the embedding restriction no longer applies.
Websites That Commonly Block Embedding
Many of the most-visited sites refuse iframe embedding by default. Common examples that send DENY or a restrictive frame-ancestors rule include:
- YouTube (main site)
- X (Twitter)
- Amazon
- GitHub
- Most banks
Header rules change over time, so always confirm with a live test above. Sites such as Wikipedia and many blogs allow embedding because they send no framing restriction.