Dev-Utilities logoDev-UtilitiesAbout

iFrame Tester

Preview any URL inside an iFrame with configurable viewport dimensions and sandbox permissions. Quickly check whether a site allows iFrame embedding.

URL
Viewport
×
Sandbox
Enter a URL above and click Load to preview

Related tools

DNS CheckerSSL Checker

About the iFrame Tester

The iFrame Tester lets you embed any URL in an inline frame and preview how it renders at different viewport sizes. It is useful for testing whether a site allows embedding, checking responsive layouts across common device widths, and experimenting with iFrame sandbox permissions.

Viewport presets

Use the preset buttons to instantly switch between four common viewport widths:

  • Desktop — 1280 × 800px, a common laptop screen resolution
  • Laptop — 1024 × 768px, a smaller or older screen
  • Tablet — 768 × 1024px, iPad portrait orientation
  • Mobile — 375 × 812px, iPhone-class screen

You can also type any custom width and height directly into the dimension inputs. The iFrame wrapper scrolls horizontally if the frame is wider than the browser window, so you can test wide layouts without distortion.

The sandbox attribute

The HTML sandbox attribute restricts what an embedded page is allowed to do. When sandbox is enabled with no permissions, the embedded page is maximally restricted: no scripts, no forms, no popups, no same-origin access. Individual permissions can then be added back:

  • allow-scripts — permits JavaScript execution in the embedded page
  • allow-same-origin — allows the page to be treated as same-origin (required for cookies and localStorage)
  • allow-forms — permits form submission
  • allow-popups — allows the page to open new windows or tabs
  • allow-top-navigation — allows the embedded page to navigate the top-level browsing context

Note: combining allow-scripts and allow-same-origin is equivalent to no sandbox at all, since a script can remove the sandbox attribute. Only use both together when testing with fully trusted content.

Why some sites won't load

Many production sites actively block iFrame embedding using HTTP response headers. If the preview is blank or the browser shows a refused-to-connect error, the site has opted out of embedding via one of these mechanisms:

  • X-Frame-Options: DENY — blocks embedding in any frame, regardless of origin
  • X-Frame-Options: SAMEORIGIN — only allows embedding from the same domain
  • Content-Security-Policy: frame-ancestors 'none' — the modern CSP equivalent of DENY

This is expected and intentional security behaviour. The iFrame Tester helps you quickly confirm whether a given URL embeds successfully, without having to build a test page yourself or dig through response headers in DevTools.

Common use cases

  • Testing whether a third-party widget, map, or video embed will load in your app
  • Verifying responsive layout at mobile or tablet breakpoints
  • Checking how a page behaves with scripts disabled (sandbox without allow-scripts)
  • Confirming that an internal tool or dashboard can be safely iFramed
  • Quickly identifying which sites block embedding before committing to an integration

Privacy

The iFrame Tester does not transmit any data to Dev-Utilities servers. The URL you enter is loaded directly by your browser — the same as typing it in the address bar, except inside an iFrame. Your browsing history and the content of the loaded pages are not accessible to Dev-Utilities. Learn more about how Dev-Utilities handles privacy.