# Iframe recording - Docs

PostHog **can** record iframes embedded in your website as long as:

1.  ✅ The embedded iframe is from the same domain as the main page (e.g. `https://posthog.com` embeds `https://posthog.com/iframe`)

2.  ✅ The embedded iframe is from a domain that you can install `posthog-js`, add the `recordCrossOriginIframes` configuration option, and set the correct content security policy (e.g. `https://posthog.com` embeds `https://app.posthog.com/iframe` or `https://dictatorortechbro.com/`)

PostHog **cannot** record iframes embedded in your website if:

-   ❌ The embedded iframe is from a domain that is not under your control (e.g. `https://posthog.com` embeds `https://google.com/iframe`)

## Recording same-origin iframes

If the iframe is from the same domain as the main page, there is no special setup needed. As long as PostHog is installed on both the parent page and the iframe, the recording will work as expected.

## Recording cross-origin iframes

> 🚧 **Security warning**: Before enabling the cross-origin recording, be aware that when using an iframe that communicates with the parent page, there are potential security risks. Ensure your Content Security Policy (CSP) only permits trusted domains and correctly employs directives like `frame-src` or `frame-ancestors`. Failure to do so can lead to security breaches where an attacker would embed your website on their domain, gaining access to the recorded content. If unsure about CSP configurations, consult your security team or reach out to PostHog support.

To record from a cross-origin iframe:

1.  Ensure that `posthog-js` is installed on both the parent domain and the iframe one.

2.  Make sure both domains are [authorized domains for recordings](/docs/session-replay/troubleshooting.md#1-authorized-domains-for-recordings).

3.  Initialize PostHog **on both domains** with an explicit configuration as below:

Web

PostHog AI

```javascript
posthog.init('<ph_project_token>', {
    session_recording: {
        // WARNING: Only enable this if you understand the security implications
        recordCrossOriginIframes: true,
    }
})
```

With this setting enabled, the child iframe will post events to the parent instead, resulting in a single replayable recording. If the parent page does not have this enabled, then the content of the embedded iframe will not be captured at all.

### Community questions

Ask a question

### Was this page useful?

HelpfulCould be better