linkembed

Troubleshooting

Sandbox / iframe limitations

Last updated recently

linkembed shows embedded content inside a secure “sandbox”. That keeps your visitors safe but also means some things that work on a normal webpage may not work inside the embed. This page explains what to expect.

Why we use a sandbox

When you embed content from another site (e.g. Google Drive, Dropbox), it runs inside a confined area (an iframe with sandbox rules). That prevents the embedded page from doing things that could harm the visitor or your page - like running unexpected scripts or redirecting in unwanted ways. Sandboxing is a standard way to make embeds safer.

What might behave differently

  • Pop-ups and new windows - Some embedded sites want to open new tabs or windows. The sandbox allows “pop-ups” in a controlled way, but strict browser or device settings can still block them. If something expects to open in a new window and doesn’t, the visitor may need to use a direct link to the source in a new tab.
  • Downloads - Download links inside the embed can work, but again browser or device policies can restrict them. If a download doesn’t start, the visitor can try opening the link in a new tab or using the source site directly.
  • Login or forms - Pages that require login or complex forms may work inside the embed, but some sites detect that they’re in an iframe and show a “open in new tab” message. That’s a choice the source site makes, not something we can change.

Blank or “refused to display”

If the embedded site sends headers that say “don’t allow framing” (X-Frame-Options or Content-Security-Policy frame-ancestors), the browser will refuse to show it in our embed. In that case you’ll see a blank area or a browser message. That’s the source platform blocking embedding. Use a redirect link to send visitors to the content instead, and see Limitations & platforms for which services we know don’t allow embedding.

What you can do

Prefer the platform’s official embed option or embed code when they offer one. If a platform blocks embedding entirely, create a redirect link so visitors still get a clean, branded URL that takes them to the content. For behavior that depends on the embedded site (e.g. login, downloads), we can’t change how that site behaves inside the sandbox; sharing the direct link with your audience is the fallback.