Session replay is supported for websites that use iframes. Please see the tables below to find your specific use case and what's captured. For more details, see our guide to installing heap within an iframe.
Note that all iframe setups require you to enable secure cookies. Navigate to Manage Account Privacy & Security and scroll down to the Cookies section to toggle on Secure Cookies. Alternatively, you can enable secure cookies in your website’s code using the secureCookie JavaScript snippet.
Safari will block cookies if they are set in an iframe. This will prevent Heap from capturing the content of your iFrame
iframe scenarios
Outer page and inner iframe are on different domains
| You want to… | Supported? | How to implement |
| capture both the outer page and the inner iframe, with the same Heap script | Yes | Heap must be installed on both the outer page and the inner iframe. The events on the outer page and inner iframe will be stitched in the same session replay. |
| capture the inner iframe only (block the outer page) | Yes | Heap must be installed only on the inner iframe. Interactions on the outer page won't be captured. |
| capture both the outer page and the inner iframe, but with different Heap scripts | Yes | Heap must be installed on both the outer page and the inner iframe. The events on the outer page and inner iframe will be associated with different session replays in different Heap environments. |
| capture the outer page only (block the inner iframe) | Yes | If Heap is already installed on the inner iframe, the inner iframe URL must be added to your list of blocked URLs. Otherwise, install Heap only on the outer page. |
Outer page and inner iframe are on the same domain
| You want to… | Supported? | How to implement |
| capture both the outer page and the inner iframe | Yes | Heap must be installed on both the outer page and the inner iframe. |
| capture the outer page only (block the inner iframe) | Limited | Add the inner iframe URL to your list of blocked URLs. Note that some same-domain iframes might still be captured depending on your implementation. |
Important limitations
When tracking iframes, be aware of these limitations:
- JavaScript restrictions: If JavaScript is required for iframe content to load and you're only tracking the outer page, the iframe may appear as an empty space in session replay.
- Third-party content: Many third-party tools (chatbots, video players like YouTube and Vimeo, forms like Typeform, payment systems, etc.) may not display properly in session replay even with proper tracking installed.
- Cookie blocking: Safari 12+, Chrome 83+ (Incognito mode), and Firefox 67+ (private browsing mode) block third-party cookies in iframes by default which can impact tracking.